USRE43987E1 - System and method for protecting a computer system from malicious software - Google Patents

System and method for protecting a computer system from malicious software Download PDF

Info

Publication number
USRE43987E1
USRE43987E1 US13/015,186 US201113015186A USRE43987E US RE43987 E1 USRE43987 E1 US RE43987E1 US 201113015186 A US201113015186 A US 201113015186A US RE43987 E USRE43987 E US RE43987E
Authority
US
United States
Prior art keywords
data
memory space
logical process
processor
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US13/015,186
Inventor
Allen F. Rozman
Alfonso J. Cioffi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ROZMAN MEGAN ELIZABETH
ROZMAN MELANIE ANN
ROZMAN MORGAN LEE
Original Assignee
Rozman Allen F
Cioffi Alfonso J
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=35759063&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=USRE43987(E1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Rozman Allen F, Cioffi Alfonso J filed Critical Rozman Allen F
Priority to US13/015,186 priority Critical patent/USRE43987E1/en
Application granted granted Critical
Publication of USRE43987E1 publication Critical patent/USRE43987E1/en
Assigned to CIOFFI, ALFONSO reassignment CIOFFI, ALFONSO LETTERS OF TESTAMENTARY (SEE DOCUMENT FOR DETAILS). Assignors: ROZMAN, ALLEN FRANK
Assigned to ROZMAN, MEGAN ELIZABETH, ROZMAN, MELANIE ANN, ROZMAN, MORGAN LEE reassignment ROZMAN, MEGAN ELIZABETH ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CIOFFI, ALFONSO
Assigned to ROZMAN, MEGAN ELIZABETH, ROZMAN, MELANIE ANN, ROZMAN, MORGAN LEE reassignment ROZMAN, MEGAN ELIZABETH CORRECTIVE ASSIGNMENT TO CORRECT THE CONVEYING PARTY DATA TO READ ALLEN FRANK ROZMAN (DECEASED) REPRESENTED BY ALFONSO CIOFFI (EXECUTOR OF ESTATE) PREVIOUSLY RECORDED ON REEL 034385 FRAME 0958. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: ALLEN FRANK ROZMAN (DECEASED) REPRESENTED BY ALFONSO CIOFFI (EXECUTOR OF ESTATE)
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Definitions

  • the present invention relates generally to computer hardware and software, and more particularly to a system and method for protecting a computer system from malicious software.
  • Goldstein 5,666,030 Multiple window generation in computer Parson display.
  • 5,995,103 Window grouping mechanism for Ashe creating, manipulating and displaying windows and window groups on a display screen of a computer system.
  • 5,502,808 Video graphics display system with Goddard, et al. adapter for display management based upon plural memory sources.
  • 5,280,579 Memory mapped interface between host Nye computer and graphics system.
  • 5,918,039 Method and apparatus for display of Buswell, et al windowing application programs on a terminal. 6,480,198 Multi-function controller and method for a Kang computer graphics display system. 6,167,522 Method and apparatus for providing Lee, et al.
  • 6,578,140 Personal computer having a master Policard computer system and in internet computer system and monitoring a condition of said master and internet computer systems
  • Malware is comprised of, but not limited to, classes of software files known as viruses, worms, Trojan horses, browser hijackers, adware, spyware, pop-up windows, data miners, etc.
  • Such malware attacks are capable of stealing data by sending user keystrokes or information stored on a user's computer back to a host, changing data or destroying data on personal computers and/or servers and/or other computerized devices, especially through the Internet.
  • these items represent a nuisance that interferes with the smooth operation of the computer system, and in the extreme, can lead to the unauthorized disclosure of confidential information stored on the computer system, significant degradation of computer system performance, or the complete collapse of computer system function.
  • malware programs are designed to protect themselves from deletion.
  • some malware programs comprise a pair of programs running simultaneously, with each program monitoring the other for deletion. If one of the pair of programs is deleted, the other program installs a replacement within milliseconds.
  • some malware will run as a Windows program with a .dlls extension, which Windows may not allow a user to delete while it is executing.
  • Malware may also reset a user's browser home page, change browser settings, or hijack search requests and direct such requests to another page or search engine. Further, the malware is often designed to defeat the user's attempts to reset the browser settings to their original values.
  • some malware programs secretly record user input commands (such as keystrokes), then send the information back to a host computer. This type of malware is capable of stealing important user information, such as passwords, credit account numbers, etc.
  • O/S operating system
  • CPU central processing unit
  • Multi-tasking O/S's allow programs to execute simultaneously by allowing programs to share resources with other programs. For example, an operating system running multiple programs executing at the same time allows the programs to share the computer's CPU time. Programs which run on the same system, even if not simultaneously with other programs, share space on the same nonvolatile memory storage medium.
  • Programs which are executing simultaneously are presently able to place binaries and data in the same physical memory at the same time, limited to a certain degree by the O/S restrictions and policy, to the extent that these are properly implemented.
  • Memory segments are shared by programs being serviced by the O/S, in the same manner.
  • O/S resources such as threads, process tables and memory segments, are shared by programs executing simultaneously as well.
  • Security problems include allowing the malware program: to capitalize CPU time, leaving other programs with little or no CPU time; to read, forge, write, delete or otherwise corrupt files created by other programs; to read, forge, write, delete or otherwise corrupt executable files of other programs, including the O/S itself; and to read and write memory locations used by other programs to thus corrupt execution of those programs.
  • the computer may run an O/S, with several user applications, together comprising a known and trusted set of programs, concurrently with an Internet browser, possibly requiring the execution of downloaded code, such as Java applets, or EXE/COM executables, with the latter programs possibly containing malware.
  • O/S Open/S Security
  • Many security features and products are being built by software manufacturers and by O/S programmers to prevent malware infiltrations from taking place, and to ensure the correct level of isolation between programs.
  • malware programs for virtually every software security mechanism, a malware practitioner has found a way to subvert, or hack around, the security system, allowing a malware program to cause harm to other programs in the shared environment. This includes every operating system and even the Java language, which was designed to create a standard interface, or sandbox, for Internet downloadable programs or applets.
  • a typical multi-tasking O/S environment includes an O/S kernel loaded in the computer random access memory (RAM) at start-up of the computer.
  • the O/S kernel is a minimal set of instructions which loads and off-loads resources and resource vectors into RAM as called upon by individual programs executing on the computer.
  • Other resources, such as disk read and write, are left in RAM while the operating system is running because such resources are more often used than others.
  • the most common state-of the-art solutions for preventing malware infiltration are software based, such as blockers, sweepers and firewalls, for example, and hardware based solutions such as router/firewalls.
  • software designed to counter malware are Norton Systems Works, distributed by the Symantec Corporation, Ad-aware, distributed by the Lavasoft Corporation of Sweeden, Spy Sweeper, distributed by the Webroot Software Corporation, Spyware Guard, distributed by Javacool Software LLC, among others.
  • Such anti-malware programs are limited because they can only detect known malware that has already been identified (usually after the malware has already attacked one or more computers).
  • Network firewalls are typically based on packet filtering, which is limited in principle, since the rules determining which packets to accept and which to reject may contain subjective decisions based on trusting known sites or known applications.
  • a malicious application may take over the computer or server or possibly the entire network and create unlimited damages (directly or indirectly by opening the door to additional malicious applications).
  • the methods in the prior art are typically comprised of embedded software countermeasures that detect and filter unwanted intrusions in real time, or scan the computer system either at the direction of a user or as a scheduled event.
  • Two problems arise from these methods.
  • a comprehensive scan, detect, and elimination of malware from desired incoming data streams could significantly slow or preclude the interactive nature of many applications such a gaming, messaging, and browsing.
  • newly implemented software screens may be quickly circumvented by malware practitioners who are determined to pass their files through the screen.
  • Newly discovered malware leads to the development of additional screens, which lead to more malware, etc., thus creating an escalating cycle of measure, countermeasure.
  • the basic flaw is that all incoming executable data files must be resident on the computers main processor to perform their desired function. Once resident on that processor, access may be gained to non-volatile memory and other basic computer system elements. Malware exploits this key architectural flaw to infiltrate and compromise computer systems.
  • malware signatures are held in a database which must be constantly updated to reflect the most recently identified malware.
  • users regularly download replacement databases, either over the Internet, from a received e-mail, or from a CDROM or floppy disc. Users are also expected to update their software engines every so often in order to take advantage of new virus detection techniques (e.g. which may be required when a new strain of malware is detected).
  • a major problem faced by computer users connected to a network is that the network interface program (a browser, for example) is resident on the same processor as the O/S and other trusted programs, and shares space on a common memory storage medium.
  • the network interface program a browser, for example
  • malware practitioners have demonstrated great skill in circumventing software security measures to create malware capable of corrupting critical files on the shared memory storage medium. When this happens, users are often faced with a lengthy process of restoring their computer systems to the correct configuration, and often important files are simply lost because no backup exists.
  • the network interface program may be advantageously given access to a separate, protected memory area, while being unable to initiate access to the main computer's memory storage area.
  • malware programs are rendered unable to automatically corrupt critical system and user files located on the main memory storage area. If a malware infection occurs, a user would be able to completely clean the malware infection from the computer using a variety of methods. A user could simply delete all files contained in the protected memory area, and restore them from an image residing on the main memory area, for example.
  • malware its effects on computer systems, techniques used by malware practitioners to install malware, and techniques for detection and removal, may be found in the published literature, and in some of the patents and applications previously incorporated by reference.
  • Reference to malware may be found in a technical white paper entitled “Spyware, Adware, and Peer-to-Peer Networks: The Hidden Threat to Corporate Security.”, by Kevin Townsend, ⁇ Pest Patrol Inc. 2003. Pest Patrol is a Carlisle; Pa. based developer of software security tools.
  • Another reference is a technical white paper entitled “Beyond Viruses: Why anti-virus software is no longer enough.” by David Stang, PhD, ⁇ Pest Patrol Inc. 2002.
  • Embodiments of the present invention achieve technical advantages as a system and method for protecting a computer system from malicious software attacks via a network connection.
  • a computer system comprising a first electronic data processor is communicatively coupled to a first memory space and to a second memory space, a second electronic data processor is communicatively coupled to the second memory space and to a network interface device, wherein the second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device, a video processor is adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format, wherein the computer system is configured such that a malware program downloaded from the network and executing on the second electronic data processor is incapable of initiating access to the first memory space.
  • Memory This term is intended to broadly encompass any device capable of storing and/or incorporating computer readable code for instantiating the client device referred to immediately above. Thus, the term encompasses all types of recording medium, e.g., a CD-ROM, a disk drive (hard or soft), magnetic tape, and recording devices, e.g., memory devices including DRAM, SRAM, EEPROM, FRAM, and Flash memory. It should be noted that the term is intended to include any type of device which could be deemed persistent storage. To the extent that an Application Specific Integrated Circuit (ASIC) can be considered to incorporate instructions for instantiating a client device, an ASIC is also considered to be within the scope of the term “memory.”
  • ASIC Application Specific Integrated Circuit
  • FIG. 1 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention
  • FIG. 2 illustrates a preferred embodiment of an exemplary protected process flow according to the principles of the present invention
  • FIG. 3 illustrates a preferred embodiment of an exemplary file download process according to the principles of the present invention
  • FIG. 4 illustrates a preferred embodiment of an exemplary memory restoration process according to the principles of the present invention
  • FIG. 5 illustrates a preferred embodiment of an exemplary automatic memory restoration and cleaning process according to the principles of the present invention
  • FIG. 6 illustrates a preferred embodiment of an exemplary interactive network process flow according to the principles of the present invention
  • FIG. 7 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention.
  • FIG. 8 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention
  • FIG. 9 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention.
  • FIG. 10 illustrates a preferred embodiment of an exemplary protected process flow according to the principles of the present invention.
  • Computer system 100 may represent, for example, a personal computer (PC) system, a server, a portable computer, such as a notebook computer, or any data processing system, a personal digital assistant (PDA), a communication device such as a cell phone, or device that is capable of being connected to a network of one or more computers.
  • System 100 comprises a first processor 120 (P 1 ) communicatively coupled to a first memory and data storage area 110 (M 1 ).
  • P 1 100 may comprise, for example, a microprocessor, such as a Pentium® 4 processor, manufactured by the Intel Corporation, or a Power PC® processor, manufactured by the IBM Corporation.
  • Other electronic data processors manufactured by other companies including but not limited to electronic data processors realized in Application Specific Integrated Circuits (ASICs) or in Field Programmable Gate Arrays (FP-GAs), are within the spirit and scope of the present invention.
  • ASICs Application Specific Integrated Circuits
  • FP-GAs Field Programmable Gate Arrays
  • the first memory and data storage area 110 may comprise both volatile and nonvolatile memory devices, such as DRAMs and hard drives, respectively. Any memory structure and/or device capable of being communicatively coupled to P 1 may be advantageously used in the present invention.
  • M 1 may be used to store, for example, critical operating system files, user data and applications, interim results of calculations, etc.
  • the many uses of computer memory are well understood by those skilled in the art, and will not be discussed further here. One may refer to several of the aforementioned patents and applications incorporated by reference, in addition to other references, for a discussion of existing computer architectures and uses of computer memory.
  • user interface 150 which may comprise, for example, a keyboard, mouse or other pointing device, microphone, pen pad, etc.
  • a video processor 170 is used to format information for display and transmit the display information to a video display device 180 , which is viewed by user 160 .
  • Video processor 170 typically includes an associated video memory area, which may be dedicated to the video processor, or shared with other resources. It is understood in the art that the video processor 170 may be part of processor P 1 120 , in that it may be integrated onto the microprocessor chip.
  • Video processor 170 may also comprise a processor IC located on a video graphics card, which is communicatively coupled to a computer motherboard. Additionally, video processor 170 may comprise circuitry located on the computer motherboard. Further still, functions of video processor 170 may be split between the processor, motherboard, or separate video graphics card.
  • Network interface device 190 may comprise, for example, a telephone modem, a cable modem, a DSL line, a router, gateway, hub, etc. Any device capable of interfacing with the network 195 may be used, via a wired connection, a wireless connection, or an optical connection, for example.
  • Network interface device 190 may connect to network 195 through one or more additional network interface devices (not shown).
  • network interface device 190 may comprise a gateway or router, connected to a cable modem, with the cable modem connected to network 195 .
  • other configurations are within the spirit and scope of the present teachings.
  • network 195 is isolated from the first processor 120 and memory 110 by a second processor 140 (P 2 ).
  • Second processor 140 may comprise any electronic data processor, such as the devices previously described as applicable to first processor 120 .
  • Communicatively coupled to P 2 140 is second memory and data storage area 130 (M 2 ), which may comprise any memory device or devices, such as the devices previously described as applicable to first memory 110 .
  • the architecture of computer system 100 is designed to be capable of protecting memory 110 from malware initiated intrusions, and preventing malware from initiating unwanted processes on first processor 120 . This is accomplished by using second processor 140 to isolate 110 and 120 from network 195 .
  • P 2 140 is communicatively coupled to memory storage area M 2 130 , and may be configured such that P 2 140 is incapable of initiating access to memory storage area M 1 110 .
  • P 2 140 may be capable of accessing memory storage area M 1 110 with the strict permission of user 160 , either through a real time interaction or via stored configuration or commands.
  • Such a configuration may be desirable in a multi-core or multi processor system, where user 160 may wish to use P 2 140 in either a protected mode or an unprotected mode, depending on the application.
  • P 1 120 is communicatively coupled to both memory areas M 1 110 and M 2 130 , thereby enabling P 1 120 to access data downloaded from the network 195 .
  • any malware that has intruded the 130 - 140 system is thus confined to the 130 - 140 system, and may be configured to be incapable of automatically corrupting data contained on M 1 110 , or of automatically initiating an unwanted process on P 1 120 .
  • Computer user 160 wishes to connect to network 195 via for example, a browser program such as Internet Explorer or Netscape Navigator. Of course, other methods of connecting to network 195 may be used.
  • User 160 inputs commands to open a protected process (e.g. a browser program in this example) at step 210 .
  • 1 st processor 120 instructs 2 nd processor 140 to initiate the protected process and open one or more process windows.
  • Second processor 140 in conjunction with memory 130 , then interacts with the network 195 via network interface device 190 , receiving and transmitting the data necessary to execute the desired protected process, such as browsing the internet or communication via e-mail.
  • Second processor 140 and memory 130 act as a separate computer system, interacting with network 195 while isolating network 195 from the first processor 120 and memory 110 .
  • Memory 130 may store critical application and system files required by second processor 140 to execute the desired tasks.
  • Memory 130 also stores data necessary to carry out the desired protected process.
  • first processor 120 receives user interface data from user 160 , and passes user interface data to second processor 140 when the protected process window is selected or active, illustrated at step 230 .
  • User interface data such as keystrokes for example, may be advantageously encrypted by P 1 120 before passing the data to P 2 140 , with network interface device 190 possibly decrypting the data prior to transmitting the data to network 195 .
  • Second processor 140 generates video data for the protected process window(s) and passes the video data to video processor 170 , for eventual display on video display 180 , shown at step 240 .
  • Video processor 170 then interleaves the video data from all processes being executed by first processor 120 and second processor 140 , at step 250 . While there are many applicable methods for displaying video data from multiple sources, one such method was described in U.S. Pat. No. 5,751,979, entitled “Video hardware for protected, multiprocessing systems”, previously incorporated by reference.
  • any malware is downloaded from network 195 , it is stored in memory 130 , and/or run as a process on second processor 140 .
  • any downloaded malware is rendered incapable of self initiating access to memory 110 or first processor 120 , because second processor 140 is rendered incapable of initiating access to 110 and 120 without a direct or stored command from user 160 . Any malware infection is thus confined. If a malware attack corrupts files and/or disrupts the operation of the 130 - 140 system, the user may easily shut down the corrupted process and restore the corrupted files from a protected image stored on memory 110 , for example.
  • the operating system controlling the 110 - 120 system may be different from an operating system controlling the protected 130 - 140 system. Conversely, a common operating system may control both the 110 - 120 system and the protected 130 - 140 system.
  • a user 160 may find it desirable to transfer files from the protected 130 - 140 system to the 110 - 120 system. User 160 may find it necessary, for example, to transfer an attachment from an e-mail message stored on memory 130 to the 110 - 120 system for further processing, modification, etc.
  • the computer system 100 may go through a process whereby a file or other data is transferred from the 130 - 140 system to the 110 - 120 system, exemplified by the process 300 illustrated in FIG. 3 .
  • user 160 selects one or more data files to download from network 195 .
  • the desired data is downloaded to the 130 - 140 system at step 320 .
  • the user 160 then directs computer system 100 to move the desired file(s) from the 130 - 140 system to the 110 - 120 system at step 330 .
  • P 1 120 may then perform a malware scan on the desired files, either in real time as the data is being transferred, or while the data still resides in M 2 130 (step 340 ). Alternatively, P 2 140 may perform the malware scan.
  • processor P 2 140 (or P 1 120 ) determines if malware has been detected in the desired file(s), and thus P 1 120 makes a decision.
  • the file(s) are moved or copied onto M 2 110 at step 360 . If malware is detected, the data file(s) are quarantined on M 2 130 , and the data file(s), if transferred to M 1 100 , are erased or quarantined. Once malware is detected, the user 160 may be alerted of the detection (step 370 ). Either as a result of user input or stored configuration commands, the infected file(s) are deleted, cleaned, or quarantined on M 2 130 , at step 380 .
  • the user 160 would of course understand the dangers inherent in transferring downloaded files from the 130 - 140 system to the 110 - 120 system.
  • the user's anti-malware software may not be up to date, or may simply be unable to detect certain types of malware.
  • the malware itself may be so new that the user's anti-malware definitions have not been updated as yet. Therefore the user may wish to keep the files on the 130 - 140 system for some period of time. Consequently, it may be desirable to have resident on the 130 - 140 system a variety of application software such as readers, thereby allowing the user to examine the files without risking transferring the files to the 110 - 120 system.
  • reader programs such as Adobe Acrobat Reader, by the Adobe Systems Corporation, or Visio reader, by the Microsoft Corporation, are typically subset application programs of the full featured application programs, and may thus require far less memory space than the full application. Additionally, software companies often distribute the reader programs for free (or a nominal fee), thereby providing advertising for the full featured application in the hopes that it will be eventually purchased by the user.
  • This reader application may be opened and executed on the 130 - 140 system in a manner similar to the process described in FIG. 2 .
  • a user 160 may also load a full application into the 130 - 140 system, enabling processing and modification of a downloaded file fully in the protected space, without risking a transfer of the file to the 110 - 120 system.
  • the user 160 may wish to clean the 130 - 140 system. This cleaning may be accomplished by running an anti-malware application on the 130 - 140 system. However, if the infection is too severe for the anti-malware software to clean, or if the malware is undetectable by the user's anti-malware software, the user may wish to restore critical system files (or other user data files) for the 130 - 140 system from a protected image stored on M 1 100 , for example. It is of course understood that the critical system file image may be restored from another device, such as a removable drive or a CD, for example. The user may however consider it more convenient to restore the critical system files from an image on M 1 100 .
  • an exemplary process for restoring M 2 130 from M 1 110 is illustrated by process 400 in FIG. 4 .
  • malware is detected or suspected to be infecting the 130 - 140 system.
  • the user instructs P 1 120 to reload critical system files onto M 2 130 from a protected image on M 1 110 , at step 420 .
  • P 1 120 may scan all or part of the data contained on M 2 130 for malware, and may scan all processes currently running on P 2 140 .
  • the scan may be initiated by direct instructions from the user, or by stored configuration commands, for example (step 430 ).
  • P 1 120 may delete all or part of the data contained on M 2 .
  • P 1 120 may also reset P 2 140 and/or delete the contents of any RAM communicatively coupled to P 2 140 (step 440 ).
  • clean critical system files are loaded onto M 2 130 from any of the sources previously mentioned, preferably an image stored on M 1 110 (step 450 ).
  • the 130 - 140 may now be rebooted and/or reinitialized from the clean critical system files.
  • the user may elect to do a low level format on the M 1 110 memory in order to ensure that the malware infection has been cleaned.
  • a user 160 may consider it advantageous for the 130 - 140 system to be automatically reinitialized from clean critical system files when a protected process window is opened. In this way, the new protected process is much less likely to be affected by an infection from a previous protected process session.
  • a user may have a plurality of protected processes open and running during a protected process session. It may only be necessary to automatically reinitialize from clean critical system files when the first protected process is opened during a session. Subsequent protected processes may not require automatic re-initialization from clean critical system files.
  • An exemplary automatic re-initialization from clean critical system files is illustrated by steps 510 , 520 and 530 in FIG. 5a .
  • processes running on P 2 140 may be automatically scanned and compared with an allowed process list, particularly as a protected process is started up. If any process is detected which is not on the allowed list, the user may be alerted that a possible malware infection has occurred. A user may then choose to scan or clean the system, or inspect the unknown process to determine if the process will be allowed to continue to execute. A user may also update the list of allowed processes from time to time as new, legitimate processes are added, for example, by a browser software update.
  • a user 160 may consider it advantageous for the 130 - 140 system to be automatically cleaned when a protected process window is closed. In this way, any detected or undetected malware infections are much less likely to affect a future protected process session. It may only be necessary to automatically clean the 130 - 140 system when the last protected process is closed during a session.
  • An exemplary automatic cleaning process is illustrated by steps 540 , 550 , 560 , 570 and 580 in FIG. 5b .
  • the memory M 2 130 and processor P 2 140 may be automatically scanned for malware infections as the protected process session closes. Infected files may be deleted or quarantined automatically.
  • a user may wish to have automatically cleaned or deleted upon closing a protected process session.
  • temporary internet files, cookies, browser plug-ins, etc. may be deleted or scanned for malware automatically.
  • a user may also wish to have websites that contributed to a malware infection noted, and may wish to place the offending websites in a block list, such that the offending websites cannot be accessed in the future without the user specifically authorizing access.
  • the malware scanner may automatically log the offending website(s), and block future access.
  • the P 2 140 processor and any associated non-volatile memory may be reset and/or erased as the protected process session is closed. The exemplary automatic cleaning process illustrated in FIG. 5b may therefore reduce the risk of a malware infection being carried over to a future protected process session.
  • Interactive network processes such as interactive gaming have become very popular in recent years.
  • a user may log onto a game host located on network 195 , or connect to other computers whose users wish to participate in the game.
  • Computer games such as Quake 3. Arena, by Id Software Incorporated, or Call of Duty, by Activision Incorporated, are just two examples of the plethora of games available that may be played interactively over a network.
  • the user's computer system typically provides the bulk of the processing power and video graphics generation required to display the often fast moving and richly detailed three dimensional game environments. Information about the current and new state of the game is exchanged between various users' computer systems, often in real time.
  • an exemplary process flow 600 allows an interactive network process, such as online gaming, to be carried out on computer system 100 .
  • a user initiates an interactive network process via 2 nd processor P 2 140 (step 610 ).
  • P 2 140 receives interactive network process status data from network connection (step 620 ).
  • P 2 140 informs 1st processor P 1 120 that interactive network process status data is available (step 630 ).
  • P 1 120 retrieves interactive network process status data from P 2 140 and uses the status data to update the interactive network process and update video display (step 640 ).
  • P 1 120 passes the updated interactive network process status data to P 2 140 (step 650 ).
  • P 2 140 then sends the updated interactive network process status data to the network via network connection 195 (step 660 ).
  • the exemplary process 600 or a process functionally equivalent, is carried out continuously as long as the interactive process is running.
  • computer system 100 is capable of actively deciding what data to download and use, and what data to discard or scan for malware.
  • the game status data is buffered prior to loading it onto the 110 - 120 system.
  • the 110 - 120 system may be advantageously configured to only accept game status information in the proper format, thereby minimizing the chance that a malware practitioner could deceptively load malware onto the 110 - 120 system.
  • computer system 100 could be configured such that system 130 - 140 is powerful enough to process the interactive network process without exchanging information with the 110 - 120 system. Such a configuration may be more secure, as a conduit between the 110 - 120 system and the 130 - 140 system may not be necessarily opened.
  • the 130 - 140 system may contain all the necessary files to facilitate the interactive network process.
  • Higher end computers, workstations, and servers often contain dual (or more) processors, such as the Mac G5, manufactured by the Apple Computer Corporation, or a single physical processor with a multiple processor core. Often, the processors in these multi-processor machines are of equal or comparable processing power.
  • one processor may be dedicated to performing functions equivalent to those described for P 1 120 , with a second processor performing the functions equivalent to those described for P 2 140 .
  • a computer system 100 employing multiple processors may be advantageously configured such that one of the processors is dedicated to protected processes only when a network process is active. When a user is not accessing a network, the multiple processors in a computer system may be dedicated to other processes, such as performing complex calculations or simulations, or running complex non-network interactive gaming processes, for example.
  • the computer system 100 may be configured such that the 110 - 120 system simply transfers required files to the video processor 170 or the 130 - 140 system at the appropriate time to facilitate the interactive network process. The 110 - 120 system could be commanded to retrieve and transfer the files at the command of the video processor, or at the command of the 130 - 140 system, or a combination of both.
  • Computer system 100 may be configured in a variety of ways, while still remaining within the spirit and scope of the present teachings.
  • One such exemplary embodiment is illustrated in FIG. 7 .
  • Subsystem 700 of computer system 100 comprises a video processor 770 , a second processor 740 , and a second memory data storage area 730 .
  • the demarcation line illustrated by subsystem 700 may be either physical or logical.
  • subsystem 700 may comprise an add-on card, such as a high end video card, or a video/network card. If configured in this exemplary manner, a user could upgrade an existing computer system to take advantage of the teachings of the present invention.
  • Subsystem 700 may be plugged into the main motherboard of an existing computer, for example.
  • the motherboard connector may be already communicatively coupled to the 110 - 120 system, thereby facilitating the system upgrade.
  • the network interface device 190 may be connected directly to subsystem 700 , or network interface device 190 could be integrated as part of subsystem 700 .
  • Memory data storage area 730 may comprise any of the volatile and/or non-volatile memory types previously described, or any combination thereof, or any suitable memory storage medium, for example.
  • subsystem 700 may be located on the motherboard, as opposed to an add-on card. Further still, portions of subsystem 700 , such as video processor 770 , and/or second processor 740 , for example, may be integrated together with P 1 120 . It is understood that functions described herein may be configured in a wide variety of ways, without departing from the spirit and scope of the present teachings.
  • Subsystem 800 of computer system 100 comprises a video processor 870 , a second processor 840 , and a second memory data storage area 830 .
  • the demarcation line illustrated by subsystem 800 may be either physical or logical.
  • subsystem 800 may comprise an add-on card, such as a high end video card, or a video/network card. If configured in this exemplary manner, a user could upgrade an existing computer system to take advantage of features of the present invention.
  • second processor 840 and video processor 870 are integrated together, perhaps on a common integrated circuit.
  • Such a configuration may help to reduce the cost of subsystem 800 , and/or improve the performance. Additionally, a circuit designer may find it advantageous to integrate 840 and 870 together to facilitate communication between the functions. It is understood that such an integration of functions may create a device in which an external user may find it difficult to distinguish where the function of 870 ends and the function of 840 begins, and vice versa. Such a device, however, would remain within the spirit and scope of the present teachings.
  • Computer system 100 comprises a video processor 970 , processor 960 , and a memory data storage area 950 .
  • Processor 960 may further comprise multiple processor cores, illustrated by 1 st processor 920 and 2 nd processor 940 . It is understood that processor 960 may contain more than 2 processor cores. Microprocessors manufactured with multiple processor cores are becoming common in the industry, and such multi-core processors may be particularly advantageous when used in accordance with the present teachings.
  • Memory data storage area 950 may further comprise 1 st memory data storage area 910 and 2 nd memory data storage area 930 . Memory areas 910 and 930 may comprise, for example, different partitions on a single hard drive, and/or different address ranges in a RAM bank.
  • processors 920 and 940 may comprise separate, secure logical processes executing on the same physical processor.
  • a first logical process may comprise executing instructions necessary to carry out the functions of an operating system, or the first logical process may comprise executing instructions necessary to carry out the functions of a first computer program, including but not limited to a word processor.
  • a second logical process may comprise executing instructions necessary to carry out the functions of a web browser program, or may comprise executing instructions necessary to carry out the functions of an instant messenger program, for example.
  • a computer system 100 constructed in accordance with the principles of the present invention would be capable of disallowing a secure logical process, such as the second logical process described above, access to certain memory spaces, and/or disallowing a secure logical process from initiating access to another logical process.
  • the functions carried out by P 2 140 may comprise a secure logical process, which may be configured to be unable to automatically initiate access to either M 1 110 or another logical process performing the functions of P 1 120 .
  • memory areas 910 and 930 may comprise separate, isolated memory zones within a common physical memory space, such as separate partitions within the same hard drive, for example.
  • malware programs are designed to secretly record user input commands (such as keystrokes, for example), then send the information back to a host computer.
  • This type of malware is capable of stealing important user information, such as passwords, bank account numbers, social security numbers, driver's license numbers, credit account numbers, etc. Theft of such personal information could result in the theft of actual assets (money or securities, etc.) or perhaps used for identity theft, among other malicious intents.
  • a computer system capable of ensuring the protection of such sensitive information would be desirable.
  • a computer system is configured such that attempts by malware to record and report data entry by the computer user via input devices such as keyboards, mouse clicks, microphones, or any other data input devices are effectively blocked.
  • Encryption of user input data, such as keystrokes, is an effective means of protecting such data from theft by malware.
  • Specific techniques used for data encryption and decryption are well known in the art, and need not be discussed further here. There are many examples in the art that may be examined to better understand various encryption/decryption techniques and the use of encryption/decryption in computer systems. Among these are U.S. Pat. No.
  • a method of operating a computer system involving data encryption is described.
  • a user opens a protected process where some level of data encryption is desired, for example, the encryption of sensitive user interface data or user files. Other data may be encrypted as desired.
  • processor P 1 120 instructs processor P 2 140 to initiate a protected process and open a process window.
  • P 1 120 encrypts the sensitive data and passes the user interface data to P 2 140 when a P 2 140 window is selected or active (step 1030 ).
  • P 2 140 generates video data for the P 2 140 process window(s) and passes the video data to video processor 170 (step 1040 ).
  • Video processor 170 decrypts the sensitive data and interleaves the video data from all P 1 and P 2 processes (step 1050 ).
  • P 2 140 passes the encrypted sensitive data to network interface device 190 (step 1060 ).
  • Network interface device 190 decrypts the sensitive data and passes the decrypted sensitive data to network 195 .
  • other methods of operating a computer system in which data is encrypted prior to being passed to P 2 140 , and decrypted after leaving the control of P 2 140 are within the spirit and scope of the present teachings.
  • data desired to be protected is encrypted prior to sending the data to processor P 2 140 , which may be running one or more malware processes.
  • Processor P 2 140 does not have visibility to the decryption keys, and is therefore unable to decrypt the data.
  • Data may be decrypted by network interface device 190 prior to forwarding the data on to network 195 .
  • encrypted data may be sent directly over the network for decryption by another computer system, including, for example, an internet banking host computer.
  • Decryption keys may be passed between P 1 120 and network interface device 190 via a communication link 191 .
  • Video processor 170 may decrypt the data prior to displaying the data on video display 180 , with decryption keys possibly passed between P 1 120 and video processor 170 via a communication link 171 . Conversely, data may be passed directly to video processor 170 via a communication link 151 .
  • a user 160 may wish to encrypt just a portion of the data destined for the network, such as passwords, credit card numbers, etc. Conversely, a user may wish to encrypt large blocks of data, such as e-mails or large application files containing sensitive text and/or graphics. Instructions may be passed to network interface device 190 directing 190 to decrypt one or more specific data blocks prior to sending the data blocks to network 195 . Conversely, instructions may be passed to network interface device 190 directing 190 to pass one or more specific data blocks to network 195 without decryption.

Abstract

In a computer system, a first electronic data processor is communicatively coupled to a first memory space and a second memory space. A second electronic data processor is communicatively coupled the second memory space and to a network interface device. The second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device. A video processor is adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format. The computer system is configured such that a malware program downloaded from the network and executing on the second electronic data processor is incapable of initiating access to the first memory space.

Description

CROSS REFERENCE TO MULTIPLE REISSUE APPLICATIONS
This is a reissue continuation application of U.S. Reissue patent application Ser. No. 12/854,149 filed Aug. 10, 2010 (now, U.S. Pat. No. Re. 43,103), which is a reissue application of U.S. Pat. No. 7,484,247, entitled “System and Method for Protecting a Computer System from Malicious Software,” issued on Jan. 27, 2009. The following are related reissue applications: U.S. patent application Ser. No. 12/720,147 (now, U.S. Pat. No. Re. 43,528) from U.S. Pat. No. 7,484,247, filed on Mar. 9, 2010, U.S. patent application Ser. No. 12/720,207 (now, U.S. Pat. No. Re. 43,500) from U.S. Pat. No. 7,484,247, filed on Mar. 9, 2010, and U.S. patent application Ser. No. 12/941,067 (now, U.S. Pat. No. Re. 43,529) from U.S. Pat. No. 7,484,247, filed on Nov. 7, 2010. All of the above applications are incorporated herein by reference.
TECHNICAL FIELD
The present invention relates generally to computer hardware and software, and more particularly to a system and method for protecting a computer system from malicious software.
CROSS REFERENCE TO RELATED PATENTS AND APPLICATIONS
This application is related to the following U.S. patents and applications:
U.S. patent
or PUB
Application
Number Title Inventor(s)
5,826,013 Polymorphic virus detection module. Nachenberg
5,978,917 Detection and elimination of macro Chi
viruses.
6,735,700 Fast virus scanning using session Flint, et al
stamping.
6,663,000 Validating components of a malware Muttik, et al.
scanner.
6,553,377 System and process for maintaining a Eschelbeck,
plurality of remote security applications et al.
using a modular framework in a
distributed computing environment.
6,216,112 Method for software distribution and Fuller, et al.
compensation with replenishable
advertisements.
4,890,098 Flexible window management on a Dawes, et al.
computer display.
5,555,364 Windowed computer display. Goldstein
5,666,030 Multiple window generation in computer Parson
display.
5,995,103 Window grouping mechanism for Ashe
creating, manipulating and displaying
windows and window groups on a display
screen of a computer system.
5,502,808 Video graphics display system with Goddard, et al.
adapter for display management based
upon plural memory sources.
5,280,579 Memory mapped interface between host Nye
computer and graphics system.
5,918,039 Method and apparatus for display of Buswell, et al
windowing application programs on a
terminal.
6,480,198 Multi-function controller and method for a Kang
computer graphics display system.
6,167,522 Method and apparatus for providing Lee, et al.
security for servers executing application
programs received via a network
6,199,181 Method and system for maintaining Rechef, et al.
restricted operating environments for
application programs or operating
systems.
6,275,938 Security enhancement for untrusted Bond, et al.
executable code.
6,321,337 Method and system for protecting Reshef, et al.
operations of trusted internal networks.
6,351,816 System and method for securing a Mueller, et al.
program's execution in a network
environment.
6,546,554 Browser-independent and automatic Schmidt, et al.
apparatus and method for receiving,
installing and launching applications from
a browser on a client computer.
6,658,573 Protecting resources in a distributed Bischof, et al
computer system.
6,507,904 Executing isolated mode instructions in a Ellison, et al.
secure system running in privilege rings.
6,633,963 Controlling access to multiple memory Ellison, et al.
zones in an isolated execution
environment.
6,678,825 Controlling access to multiple isolated Ellison, et al.
memories in an isolated execution
environment.
5,751,979 Video hardware for protected, McCrory
multiprocessing systems.
6,581,162 Method for securely creating, storing and Angelo, et al.
using encryption keys in a computer
system.
6,134,661 Computer network security device and Topp
method.
6,578,140 Personal computer having a master Policard
computer system and in internet computer
system and monitoring a condition of said
master and internet computer systems
PUB E-mail software and method and system Jacobs, Paul E.,
Application # for distributing advertisements to client et al.
20040054588 devices that have such e-mail software
installed thereon.
PUB System and method for comprehensive Mayer, Yaron;
Application # general generic protection for computers et al.
20040034794 against malicious programs that may steal
information and/or cause damages
PUB System and method for providing security Skrepetos,
Application # to a remote computer over a network Nicholas C.
20040006715 browser interface.
PUB Virus protection in an internet Samman, Ben
Application # environment.
20030177397
PUB System and method for protecting Pham, Khai;
Application # computer users from web sites hosting et al.
20030097591 computer viruses.
PUB Malware infection suppression. Hinchliffe,
Application # Alexander
20030023857 James; et al.
PUB Access control for computers. Riordan, James
Application #
20020066016
PUB Detecting malicious alteration of stored Wolff, Daniel
Application # computer files. Joseph; et al.
20020174349
The above-listed U.S. Patents and U.S. patent applications are incorporated by reference as if reproduced herein in their entirety.
BACKGROUND
The very popular and ubiquitous rise of the ‘personal’ computer system as an essential business tool and home appliance, together with the exponential growth of the Internet as a means of providing information flows across a wide variety of connected computing devices, has changed the way people live and work. Information in the form of data files and executable software programs regularly flows across the planetary wide system of interconnected computers and data storage devices.
Popular and ubiquitous computer hardware and software architectures have typically been designed to allow for open interconnection via, for example, the internet, a VPN, a LAN, or a WAN, with information often capable of being freely shared between the interconnected computers. This open interconnection architecture has contributed to the adoption and mainstream usage of these computers and the subsequent interconnection of vast networks of computers. This easy to use system has given rise to the explosive popularity of applications such as email, internet browsing, search engines, interactive gaming, instant messaging, and many, many more.
Although there are definite benefits to this open interconnection architecture, a lack of security against unwanted incursions into the computers main processing and non-volatile memory space has emerged as a significant problem. An aspect of some current computer architectures that has contributed to the security problem is that by default programs are typically allowed to interact with and/or alter other programs and data files, including critical operating system files, such as the windows registry, for example. Current open interconnection architectures have opened the door to a new class of unwanted malicious software generally known a malware. This malware is capable of infiltrating any computer system which is connected to a network of interconnected computer systems. Malware is comprised of, but not limited to, classes of software files known as viruses, worms, Trojan horses, browser hijackers, adware, spyware, pop-up windows, data miners, etc. Such malware attacks are capable of stealing data by sending user keystrokes or information stored on a user's computer back to a host, changing data or destroying data on personal computers and/or servers and/or other computerized devices, especially through the Internet. In the least, these items represent a nuisance that interferes with the smooth operation of the computer system, and in the extreme, can lead to the unauthorized disclosure of confidential information stored on the computer system, significant degradation of computer system performance, or the complete collapse of computer system function.
Malware has recently become much more sophisticated and much more difficult for users to deal with. Once resident on a computer system, many malware programs are designed to protect themselves from deletion. For example, some malware programs comprise a pair of programs running simultaneously, with each program monitoring the other for deletion. If one of the pair of programs is deleted, the other program installs a replacement within milliseconds. In another example, some malware will run as a Windows program with a .dlls extension, which Windows may not allow a user to delete while it is executing. Malware may also reset a user's browser home page, change browser settings, or hijack search requests and direct such requests to another page or search engine. Further, the malware is often designed to defeat the user's attempts to reset the browser settings to their original values. In another example, some malware programs secretly record user input commands (such as keystrokes), then send the information back to a host computer. This type of malware is capable of stealing important user information, such as passwords, credit account numbers, etc.
Many existing computers rely on a special set of instructions which define an operating system (O/S) in order to provide an interface for computer programs and computer components such as the computer's memory and central processing unit (CPU). Many current operating systems have a multi-tasking capability which allows multiple computer programs to run simultaneously, with each program not having to wait for termination of another in order to execute instructions. Multi-tasking O/S's allow programs to execute simultaneously by allowing programs to share resources with other programs. For example, an operating system running multiple programs executing at the same time allows the programs to share the computer's CPU time. Programs which run on the same system, even if not simultaneously with other programs, share space on the same nonvolatile memory storage medium. Programs which are executing simultaneously are presently able to place binaries and data in the same physical memory at the same time, limited to a certain degree by the O/S restrictions and policy, to the extent that these are properly implemented. Memory segments are shared by programs being serviced by the O/S, in the same manner. O/S resources, such as threads, process tables and memory segments, are shared by programs executing simultaneously as well.
While allowing programs to share resources has many benefits, there are resulting security related ramifications, particularly regarding malware programs. Security problems include allowing the malware program: to capitalize CPU time, leaving other programs with little or no CPU time; to read, forge, write, delete or otherwise corrupt files created by other programs; to read, forge, write, delete or otherwise corrupt executable files of other programs, including the O/S itself; and to read and write memory locations used by other programs to thus corrupt execution of those programs.
In the case of a computer connected to the Internet, the computer may run an O/S, with several user applications, together comprising a known and trusted set of programs, concurrently with an Internet browser, possibly requiring the execution of downloaded code, such as Java applets, or EXE/COM executables, with the latter programs possibly containing malware. Many security features and products are being built by software manufacturers and by O/S programmers to prevent malware infiltrations from taking place, and to ensure the correct level of isolation between programs. Among these are architectural solutions such as rings-of-protection in which different trust levels are assigned to memory portions and tasks, paging which includes mapping of logical memory into physical portions or pages, allowing different tasks to have different mapping, with the pages having different trust levels, and segmentation which involves mapping logical memory into logical portions or segments, each segment having its own trust level wherein each task may reference a different set of segments. Since the sharing capabilities using traditional operating systems are extensive, so are the security features. However, the more complex the security mechanism is, the more options a malware practitioner has to bypass the security and to hack or corrupt other programs or the O/S itself, sometimes using these very features that allow sharing and communication between programs to do so.
Further, regarding malware programs, for virtually every software security mechanism, a malware practitioner has found a way to subvert, or hack around, the security system, allowing a malware program to cause harm to other programs in the shared environment. This includes every operating system and even the Java language, which was designed to create a standard interface, or sandbox, for Internet downloadable programs or applets.
Major vulnerabilities of existing computer systems lies in the architectures of the computer system and of the operating system itself. A typical multi-tasking O/S environment includes an O/S kernel loaded in the computer random access memory (RAM) at start-up of the computer. The O/S kernel is a minimal set of instructions which loads and off-loads resources and resource vectors into RAM as called upon by individual programs executing on the computer. Sometimes, when two or more executing programs require the same resource, such as printer output, for example, the O/S kernel leaves the resource loaded in RAM until all programs have finished with that resource. Other resources, such as disk read and write, are left in RAM while the operating system is running because such resources are more often used than others. The inherent problem with existing architectures is that resources, such as RAM, or a hard disk, are shared by programs simultaneously, giving a malware program a conduit to access and corrupt other programs, or the O/S itself through the shared resource. Furthermore, as many application programs are of a general nature, many features are enabled by default or by the O/S, thus in many cases bypassing the O/S security mechanism. Such is the case when a device driver or daemon is run by the O/S in kernel mode, which enables it unrestricted access to many if not all the resources.
The most common state-of the-art solutions for preventing malware infiltration are software based, such as blockers, sweepers and firewalls, for example, and hardware based solutions such as router/firewalls. Examples of software designed to counter malware are Norton Systems Works, distributed by the Symantec Corporation, Ad-aware, distributed by the Lavasoft Corporation of Sweeden, Spy Sweeper, distributed by the Webroot Software Corporation, Spyware Guard, distributed by Javacool Software LLC, among others. Currently there are a plethora of freeware, shareware and purchased software programs designed to counter malware by a variety of means. Such anti-malware programs are limited because they can only detect known malware that has already been identified (usually after the malware has already attacked one or more computers).
Network firewalls are typically based on packet filtering, which is limited in principle, since the rules determining which packets to accept and which to reject may contain subjective decisions based on trusting known sites or known applications. However, once security is breached for any reason (for example, due to a software or hardware error, a new piece of malware unrecognized by the anti-malware program or firewall, or an intended deception), a malicious application may take over the computer or server or possibly the entire network and create unlimited damages (directly or indirectly by opening the door to additional malicious applications).
The methods in the prior art are typically comprised of embedded software countermeasures that detect and filter unwanted intrusions in real time, or scan the computer system either at the direction of a user or as a scheduled event. Two problems arise from these methods. In the first instance, a comprehensive scan, detect, and elimination of malware from desired incoming data streams could significantly slow or preclude the interactive nature of many applications such a gaming, messaging, and browsing. In the second instance, newly implemented software screens may be quickly circumvented by malware practitioners who are determined to pass their files through the screen. Newly discovered malware leads to the development of additional screens, which lead to more malware, etc., thus creating an escalating cycle of measure, countermeasure. The basic flaw is that all incoming executable data files must be resident on the computers main processor to perform their desired function. Once resident on that processor, access may be gained to non-volatile memory and other basic computer system elements. Malware exploits this key architectural flaw to infiltrate and compromise computer systems.
The majority of these applications rely upon a scanning engine which searches suspect files for the presence of predetermined malware signatures. These signatures are held in a database which must be constantly updated to reflect the most recently identified malware. Typically, users regularly download replacement databases, either over the Internet, from a received e-mail, or from a CDROM or floppy disc. Users are also expected to update their software engines every so often in order to take advantage of new virus detection techniques (e.g. which may be required when a new strain of malware is detected).
Many of the aforementioned applications are also not effective against security holes, for example, in browsers or e-mail programs, or in the operating system itself. Security holes in critical applications are discovered quite often, and just keeping up with all the patches is cumbersome. Also, without proper generic protection against, for example, Trojan horses, even VPNs (Virtual Private Networks) and other forms of data encryption, including digital signatures, are not totally safe because information can be stolen before or below the encryption layer. Even personal firewalls are typically limited, because once a program is allowed to access the Internet, there are often few limitations on what files may be accessed and transmitted back to a host.
A major problem faced by computer users connected to a network is that the network interface program (a browser, for example) is resident on the same processor as the O/S and other trusted programs, and shares space on a common memory storage medium. Even with security designed into the O/S, malware practitioners have demonstrated great skill in circumventing software security measures to create malware capable of corrupting critical files on the shared memory storage medium. When this happens, users are often faced with a lengthy process of restoring their computer systems to the correct configuration, and often important files are simply lost because no backup exists.
Therefore, what is needed in the art is a means of isolating the network interface program from the main computer system such that the network interface program does not share a common memory storage area with other trusted programs. The network interface program may be advantageously given access to a separate, protected memory area, while being unable to initiate access to the main computer's memory storage area. With the network interface program constrained in this way, malware programs are rendered unable to automatically corrupt critical system and user files located on the main memory storage area. If a malware infection occurs, a user would be able to completely clean the malware infection from the computer using a variety of methods. A user could simply delete all files contained in the protected memory area, and restore them from an image residing on the main memory area, for example.
Other discussions of malware, its effects on computer systems, techniques used by malware practitioners to install malware, and techniques for detection and removal, may be found in the published literature, and in some of the patents and applications previously incorporated by reference. Reference to malware may be found in a technical white paper entitled “Spyware, Adware, and Peer-to-Peer Networks: The Hidden Threat to Corporate Security.”, by Kevin Townsend, © Pest Patrol Inc. 2003. Pest Patrol is a Carlisle; Pa. based developer of software security tools. Another reference is a technical white paper entitled “Beyond Viruses: Why anti-virus software is no longer enough.” by David Stang, PhD, © Pest Patrol Inc. 2002. Yet another reference is “The Web: Threat or Menace?” from “Firewalls and Internet Security: Repelling the Wily Hacker”, Second Edition, Addison-Wesley. ISBN 0-201-63466-X, Copyright 2003. The foregoing references are incorporated by reference as if reproduced herein in their entirety.
SUMMARY OF THE INVENTION
Embodiments of the present invention achieve technical advantages as a system and method for protecting a computer system from malicious software attacks via a network connection.
It is an object of the present invention to provide a computer system capable of preventing malware programs from automatically corrupting critical user and system files.
It is another object of the present invention to confine any malware infection that may occur to a separate, protected part of the computer system.
It is another object of the present invention to provide a user with an easy and comprehensive method of removing the malware infection, even if the user's anti-malware software is incapable of detecting and/or removing the malware infection.
It is another object of the present invention to provide a user with an easy and comprehensive method of restoring critical system and user files that may have been corrupted by a malware infection.
It is another object of the present invention to provide a computer system configured such that attempts by malware to record and report data entry by the computer user via input devices such as keyboards, mouse clicks, microphones, or any other data input devices are effectively blocked.
It is another object of the present invention to provide a computer system capable of executing instructions in a first logical process, wherein the first logical process is capable of accessing data contained in a first memory space and a second memory space.
It is another object of the present invention to provide a computer system capable of executing instructions in a second logical process, wherein the second logical process is capable of accessing data contained in the second memory space, the second logical process being further capable of exchanging data across a network of one or more computers.
It is another object of the present invention to provide a computer system capable of displaying, in a windowed format on a display terminal, data from the first logical process and the second logical process, wherein a video processor is adapted to combine data from the first and second logical processes and transmit the combined data to the display terminal
It is another object of the present invention to provide a computer system configured such that a malware program downloaded from the network and executing as part of the second logical process is incapable of initiating access to the first memory space.
It is another object of the present invention to provide a computer system configured such that corrupted data files residing on the second memory space may be restored from an image residing on the first memory space.
It is another object of the present invention to provide a computer system configured such that data files residing on the second memory space may be automatically deleted when the second logical process is terminated.
It is another object of the present invention to provide a computer system configured such that the second electronic data processor and the video processor are co-located on a circuit card, the circuit card being communicatively coupled to the first electronic data processor.
These objects and other advantages are provided by a preferred embodiment of the present invention wherein a computer system comprising a first electronic data processor is communicatively coupled to a first memory space and to a second memory space, a second electronic data processor is communicatively coupled to the second memory space and to a network interface device, wherein the second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device, a video processor is adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format, wherein the computer system is configured such that a malware program downloaded from the network and executing on the second electronic data processor is incapable of initiating access to the first memory space.
TERM DESCRIPTION
Memory—This term is intended to broadly encompass any device capable of storing and/or incorporating computer readable code for instantiating the client device referred to immediately above. Thus, the term encompasses all types of recording medium, e.g., a CD-ROM, a disk drive (hard or soft), magnetic tape, and recording devices, e.g., memory devices including DRAM, SRAM, EEPROM, FRAM, and Flash memory. It should be noted that the term is intended to include any type of device which could be deemed persistent storage. To the extent that an Application Specific Integrated Circuit (ASIC) can be considered to incorporate instructions for instantiating a client device, an ASIC is also considered to be within the scope of the term “memory.”
BRIEF DESCRIPTION OF THE DRAWINGS
For a more complete understanding of the present invention, and the advantages thereof, reference is now made to the following descriptions taken in conjunction with the accompanying drawings, in which:
FIG. 1 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention;
FIG. 2 illustrates a preferred embodiment of an exemplary protected process flow according to the principles of the present invention;
FIG. 3 illustrates a preferred embodiment of an exemplary file download process according to the principles of the present invention;
FIG. 4 illustrates a preferred embodiment of an exemplary memory restoration process according to the principles of the present invention;
FIG. 5 illustrates a preferred embodiment of an exemplary automatic memory restoration and cleaning process according to the principles of the present invention;
FIG. 6 illustrates a preferred embodiment of an exemplary interactive network process flow according to the principles of the present invention;
FIG. 7 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention;
FIG. 8 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention;
FIG. 9 illustrates a preferred embodiment of an exemplary computer system according to the principles of the present invention;
FIG. 10 illustrates a preferred embodiment of an exemplary protected process flow according to the principles of the present invention.
DETAILED DESCRIPTION OF THE ILLUSTRATED EMBODIMENTS
The making and using of the presently preferred embodiments are discussed in detail below. It should be appreciated, however, that the present invention provides many applicable inventive concepts that can be embodied in a wide variety of specific contexts. The specific embodiments discussed are merely illustrative of specific ways to make and use the invention, and do not limit the scope of the invention.
A computer system, constructed in accordance with a preferred embodiment of the present invention, is illustrated in FIG. 1. Computer system 100 may represent, for example, a personal computer (PC) system, a server, a portable computer, such as a notebook computer, or any data processing system, a personal digital assistant (PDA), a communication device such as a cell phone, or device that is capable of being connected to a network of one or more computers. System 100 comprises a first processor 120 (P1) communicatively coupled to a first memory and data storage area 110 (M1). P1 100 may comprise, for example, a microprocessor, such as a Pentium® 4 processor, manufactured by the Intel Corporation, or a Power PC® processor, manufactured by the IBM Corporation. Other electronic data processors manufactured by other companies, including but not limited to electronic data processors realized in Application Specific Integrated Circuits (ASICs) or in Field Programmable Gate Arrays (FP-GAs), are within the spirit and scope of the present invention.
The first memory and data storage area 110 may comprise both volatile and nonvolatile memory devices, such as DRAMs and hard drives, respectively. Any memory structure and/or device capable of being communicatively coupled to P1 may be advantageously used in the present invention. M1 may be used to store, for example, critical operating system files, user data and applications, interim results of calculations, etc. The many uses of computer memory are well understood by those skilled in the art, and will not be discussed further here. One may refer to several of the aforementioned patents and applications incorporated by reference, in addition to other references, for a discussion of existing computer architectures and uses of computer memory. Also part of system 100 is user interface 150, which may comprise, for example, a keyboard, mouse or other pointing device, microphone, pen pad, etc. Any device or method capable of inputting commands and/or data from a user 160 to computer system 100 may be used to advantage. A video processor 170 is used to format information for display and transmit the display information to a video display device 180, which is viewed by user 160. Video processor 170 typically includes an associated video memory area, which may be dedicated to the video processor, or shared with other resources. It is understood in the art that the video processor 170 may be part of processor P1 120, in that it may be integrated onto the microprocessor chip. Video processor 170 may also comprise a processor IC located on a video graphics card, which is communicatively coupled to a computer motherboard. Additionally, video processor 170 may comprise circuitry located on the computer motherboard. Further still, functions of video processor 170 may be split between the processor, motherboard, or separate video graphics card.
It is often desirable to connect computer system 100 to a network of one or more computer devices 195, such as the Internet, a LAN, WAN, VPN, etc. This connection may be accomplished via network interface device 190, which may comprise, for example, a telephone modem, a cable modem, a DSL line, a router, gateway, hub, etc. Any device capable of interfacing with the network 195 may be used, via a wired connection, a wireless connection, or an optical connection, for example. Network interface device 190 may connect to network 195 through one or more additional network interface devices (not shown). For example, network interface device 190 may comprise a gateway or router, connected to a cable modem, with the cable modem connected to network 195. Of course, other configurations are within the spirit and scope of the present teachings.
In accordance with a preferred embodiment of the present invention, network 195 is isolated from the first processor 120 and memory 110 by a second processor 140 (P2). Second processor 140 may comprise any electronic data processor, such as the devices previously described as applicable to first processor 120. Communicatively coupled to P2 140 is second memory and data storage area 130 (M2), which may comprise any memory device or devices, such as the devices previously described as applicable to first memory 110.
The architecture of computer system 100 is designed to be capable of protecting memory 110 from malware initiated intrusions, and preventing malware from initiating unwanted processes on first processor 120. This is accomplished by using second processor 140 to isolate 110 and 120 from network 195. In a preferred embodiment, P2 140 is communicatively coupled to memory storage area M2 130, and may be configured such that P2 140 is incapable of initiating access to memory storage area M1 110. For example, P2 140 may be capable of accessing memory storage area M1 110 with the strict permission of user 160, either through a real time interaction or via stored configuration or commands. Such a configuration may be desirable in a multi-core or multi processor system, where user 160 may wish to use P2 140 in either a protected mode or an unprotected mode, depending on the application. However, user 160 is capable of denying P2 140 the capability of initiating access to memory storage area M1 110 without the user's permission. P1 120 is communicatively coupled to both memory areas M1 110 and M2 130, thereby enabling P1 120 to access data downloaded from the network 195. In the presently described embodiment, any malware that has intruded the 130-140 system is thus confined to the 130-140 system, and may be configured to be incapable of automatically corrupting data contained on M1 110, or of automatically initiating an unwanted process on P1 120.
This and other features of the present teachings may be illustrated with reference to the example process flow 200 of FIG. 2. Computer user 160 wishes to connect to network 195 via for example, a browser program such as Internet Explorer or Netscape Navigator. Of course, other methods of connecting to network 195 may be used. User 160 inputs commands to open a protected process (e.g. a browser program in this example) at step 210. At step 220, 1st processor 120 instructs 2nd processor 140 to initiate the protected process and open one or more process windows. Second processor 140, in conjunction with memory 130, then interacts with the network 195 via network interface device 190, receiving and transmitting the data necessary to execute the desired protected process, such as browsing the internet or communication via e-mail. Second processor 140 and memory 130 act as a separate computer system, interacting with network 195 while isolating network 195 from the first processor 120 and memory 110. Memory 130 may store critical application and system files required by second processor 140 to execute the desired tasks. Memory 130 also stores data necessary to carry out the desired protected process. In the example of FIG. 2, first processor 120 receives user interface data from user 160, and passes user interface data to second processor 140 when the protected process window is selected or active, illustrated at step 230. User interface data, such as keystrokes for example, may be advantageously encrypted by P1 120 before passing the data to P2 140, with network interface device 190 possibly decrypting the data prior to transmitting the data to network 195. Encrypting, for example keystroke data, may disrupt the efforts of spyware programs designed to store user keystrokes for later transmission to a host computer. Second processor 140 generates video data for the protected process window(s) and passes the video data to video processor 170, for eventual display on video display 180, shown at step 240. Video processor 170 then interleaves the video data from all processes being executed by first processor 120 and second processor 140, at step 250. While there are many applicable methods for displaying video data from multiple sources, one such method was described in U.S. Pat. No. 5,751,979, entitled “Video hardware for protected, multiprocessing systems”, previously incorporated by reference.
In accordance with a preferred embodiment of the present invention, if any malware is downloaded from network 195, it is stored in memory 130, and/or run as a process on second processor 140. In the configuration of computer system 100, any downloaded malware is rendered incapable of self initiating access to memory 110 or first processor 120, because second processor 140 is rendered incapable of initiating access to 110 and 120 without a direct or stored command from user 160. Any malware infection is thus confined. If a malware attack corrupts files and/or disrupts the operation of the 130-140 system, the user may easily shut down the corrupted process and restore the corrupted files from a protected image stored on memory 110, for example.
In accordance with a preferred embodiment of the present invention, the operating system controlling the 110-120 system may be different from an operating system controlling the protected 130-140 system. Conversely, a common operating system may control both the 110-120 system and the protected 130-140 system.
A user 160 may find it desirable to transfer files from the protected 130-140 system to the 110-120 system. User 160 may find it necessary, for example, to transfer an attachment from an e-mail message stored on memory 130 to the 110-120 system for further processing, modification, etc. In this case, the computer system 100 may go through a process whereby a file or other data is transferred from the 130-140 system to the 110-120 system, exemplified by the process 300 illustrated in FIG. 3.
In accordance with a preferred embodiment of the present invention, at step 310, user 160 selects one or more data files to download from network 195. The desired data is downloaded to the 130-140 system at step 320. The user 160 then directs computer system 100 to move the desired file(s) from the 130-140 system to the 110-120 system at step 330. P1 120 may then perform a malware scan on the desired files, either in real time as the data is being transferred, or while the data still resides in M2 130 (step 340). Alternatively, P2 140 may perform the malware scan. At step 350, processor P2 140 (or P1 120) determines if malware has been detected in the desired file(s), and thus P1 120 makes a decision. If no malware is detected, the file(s) are moved or copied onto M2 110 at step 360. If malware is detected, the data file(s) are quarantined on M2 130, and the data file(s), if transferred to M1 100, are erased or quarantined. Once malware is detected, the user 160 may be alerted of the detection (step 370). Either as a result of user input or stored configuration commands, the infected file(s) are deleted, cleaned, or quarantined on M2 130, at step 380.
The user 160 would of course understand the dangers inherent in transferring downloaded files from the 130-140 system to the 110-120 system. For example, the user's anti-malware software may not be up to date, or may simply be unable to detect certain types of malware. Also, the malware itself may be so new that the user's anti-malware definitions have not been updated as yet. Therefore the user may wish to keep the files on the 130-140 system for some period of time. Consequently, it may be desirable to have resident on the 130-140 system a variety of application software such as readers, thereby allowing the user to examine the files without risking transferring the files to the 110-120 system. These reader programs, such as Adobe Acrobat Reader, by the Adobe Systems Corporation, or Visio reader, by the Microsoft Corporation, are typically subset application programs of the full featured application programs, and may thus require far less memory space than the full application. Additionally, software companies often distribute the reader programs for free (or a nominal fee), thereby providing advertising for the full featured application in the hopes that it will be eventually purchased by the user. This reader application may be opened and executed on the 130-140 system in a manner similar to the process described in FIG. 2. Of course, a user 160 may also load a full application into the 130-140 system, enabling processing and modification of a downloaded file fully in the protected space, without risking a transfer of the file to the 110-120 system.
In the event the 130-140 system becomes infected with malware, the user 160 may wish to clean the 130-140 system. This cleaning may be accomplished by running an anti-malware application on the 130-140 system. However, if the infection is too severe for the anti-malware software to clean, or if the malware is undetectable by the user's anti-malware software, the user may wish to restore critical system files (or other user data files) for the 130-140 system from a protected image stored on M1 100, for example. It is of course understood that the critical system file image may be restored from another device, such as a removable drive or a CD, for example. The user may however consider it more convenient to restore the critical system files from an image on M1 100.
In accordance with a preferred embodiment of the present invention, an exemplary process for restoring M2 130 from M1 110 is illustrated by process 400 in FIG. 4. At step 410, malware is detected or suspected to be infecting the 130-140 system. The user instructs P1 120 to reload critical system files onto M2 130 from a protected image on M1 110, at step 420. Depending on the severity of the infection, P1 120 may scan all or part of the data contained on M2 130 for malware, and may scan all processes currently running on P2 140. The scan may be initiated by direct instructions from the user, or by stored configuration commands, for example (step 430). P1 120 may delete all or part of the data contained on M2. P1 120 may also reset P2 140 and/or delete the contents of any RAM communicatively coupled to P2 140 (step 440). Once the 130-140 system has been adequately cleaned, clean critical system files are loaded onto M2 130 from any of the sources previously mentioned, preferably an image stored on M1 110 (step 450). The 130-140 may now be rebooted and/or reinitialized from the clean critical system files. In an extreme case where the malware resists deletion by the operating system, the user may elect to do a low level format on the M1 110 memory in order to ensure that the malware infection has been cleaned.
In accordance with a preferred embodiment of the present invention, a user 160 may consider it advantageous for the 130-140 system to be automatically reinitialized from clean critical system files when a protected process window is opened. In this way, the new protected process is much less likely to be affected by an infection from a previous protected process session. Of course, a user may have a plurality of protected processes open and running during a protected process session. It may only be necessary to automatically reinitialize from clean critical system files when the first protected process is opened during a session. Subsequent protected processes may not require automatic re-initialization from clean critical system files. An exemplary automatic re-initialization from clean critical system files is illustrated by steps 510, 520 and 530 in FIG. 5a. Additionally, processes running on P2 140 may be automatically scanned and compared with an allowed process list, particularly as a protected process is started up. If any process is detected which is not on the allowed list, the user may be alerted that a possible malware infection has occurred. A user may then choose to scan or clean the system, or inspect the unknown process to determine if the process will be allowed to continue to execute. A user may also update the list of allowed processes from time to time as new, legitimate processes are added, for example, by a browser software update.
In accordance with a preferred embodiment of the present invention, a user 160 may consider it advantageous for the 130-140 system to be automatically cleaned when a protected process window is closed. In this way, any detected or undetected malware infections are much less likely to affect a future protected process session. It may only be necessary to automatically clean the 130-140 system when the last protected process is closed during a session. An exemplary automatic cleaning process is illustrated by steps 540, 550, 560, 570 and 580 in FIG. 5b. The memory M2 130 and processor P2 140 may be automatically scanned for malware infections as the protected process session closes. Infected files may be deleted or quarantined automatically. Additionally, there may be a variety of files that a user may wish to have automatically cleaned or deleted upon closing a protected process session. For example, temporary internet files, cookies, browser plug-ins, etc., may be deleted or scanned for malware automatically. A user may also wish to have websites that contributed to a malware infection noted, and may wish to place the offending websites in a block list, such that the offending websites cannot be accessed in the future without the user specifically authorizing access. As part of the malware scan, the malware scanner may automatically log the offending website(s), and block future access. Also, the P2 140 processor and any associated non-volatile memory may be reset and/or erased as the protected process session is closed. The exemplary automatic cleaning process illustrated in FIG. 5b may therefore reduce the risk of a malware infection being carried over to a future protected process session.
Interactive network processes such as interactive gaming have become very popular in recent years. In current interactive gaming processes, a user may log onto a game host located on network 195, or connect to other computers whose users wish to participate in the game. Computer games, such as Quake 3. Arena, by Id Software Incorporated, or Call of Duty, by Activision Incorporated, are just two examples of the plethora of games available that may be played interactively over a network. The user's computer system typically provides the bulk of the processing power and video graphics generation required to display the often fast moving and richly detailed three dimensional game environments. Information about the current and new state of the game is exchanged between various users' computer systems, often in real time. With this type of process, a relatively modest amount of data is required to be exchanged between users, or a user and the host, with the bulk of the processing, data manipulation, and graphics generation being handled by the user's local machine. However, this open network connection may become a conduit for malware practitioners to exploit, allowing malware to be downloaded onto a user's computer during a gaming session, often without the user being aware of the malware transfer. It would be advantageous, therefore, for a computer system to be much less susceptible to malware attacks during gaming sessions.
In accordance with a preferred embodiment of the present invention, an exemplary process flow 600, illustrated in FIG. 6, allows an interactive network process, such as online gaming, to be carried out on computer system 100. A user initiates an interactive network process via 2nd processor P2 140 (step 610). P2 140 receives interactive network process status data from network connection (step 620). P2 140 informs 1st processor P1 120 that interactive network process status data is available (step 630). P1 120 retrieves interactive network process status data from P2 140 and uses the status data to update the interactive network process and update video display (step 640). P1 120 then passes the updated interactive network process status data to P2 140 (step 650). P2 140 then sends the updated interactive network process status data to the network via network connection 195 (step 660). The exemplary process 600, or a process functionally equivalent, is carried out continuously as long as the interactive process is running.
By using exemplary process 600 (or an equivalent), computer system 100 is capable of actively deciding what data to download and use, and what data to discard or scan for malware. The game status data is buffered prior to loading it onto the 110-120 system. The 110-120 system may be advantageously configured to only accept game status information in the proper format, thereby minimizing the chance that a malware practitioner could deceptively load malware onto the 110-120 system.
Additionally, computer system 100 could be configured such that system 130-140 is powerful enough to process the interactive network process without exchanging information with the 110-120 system. Such a configuration may be more secure, as a conduit between the 110-120 system and the 130-140 system may not be necessarily opened. The 130-140 system may contain all the necessary files to facilitate the interactive network process. Higher end computers, workstations, and servers often contain dual (or more) processors, such as the Mac G5, manufactured by the Apple Computer Corporation, or a single physical processor with a multiple processor core. Often, the processors in these multi-processor machines are of equal or comparable processing power. In such a configuration, one processor may be dedicated to performing functions equivalent to those described for P1 120, with a second processor performing the functions equivalent to those described for P2 140. A computer system 100 employing multiple processors may be advantageously configured such that one of the processors is dedicated to protected processes only when a network process is active. When a user is not accessing a network, the multiple processors in a computer system may be dedicated to other processes, such as performing complex calculations or simulations, or running complex non-network interactive gaming processes, for example. Alternatively, the computer system 100 may be configured such that the 110-120 system simply transfers required files to the video processor 170 or the 130-140 system at the appropriate time to facilitate the interactive network process. The 110-120 system could be commanded to retrieve and transfer the files at the command of the video processor, or at the command of the 130-140 system, or a combination of both.
In accordance with embodiments of the present invention, computer system 100 may be configured in a variety of ways, while still remaining within the spirit and scope of the present teachings. One such exemplary embodiment is illustrated in FIG. 7. Subsystem 700 of computer system 100 comprises a video processor 770, a second processor 740, and a second memory data storage area 730. The demarcation line illustrated by subsystem 700 may be either physical or logical. For example, subsystem 700 may comprise an add-on card, such as a high end video card, or a video/network card. If configured in this exemplary manner, a user could upgrade an existing computer system to take advantage of the teachings of the present invention. Subsystem 700 may be plugged into the main motherboard of an existing computer, for example. The motherboard connector may be already communicatively coupled to the 110-120 system, thereby facilitating the system upgrade. The network interface device 190 may be connected directly to subsystem 700, or network interface device 190 could be integrated as part of subsystem 700. Memory data storage area 730 may comprise any of the volatile and/or non-volatile memory types previously described, or any combination thereof, or any suitable memory storage medium, for example. Alternatively, subsystem 700 may be located on the motherboard, as opposed to an add-on card. Further still, portions of subsystem 700, such as video processor 770, and/or second processor 740, for example, may be integrated together with P1 120. It is understood that functions described herein may be configured in a wide variety of ways, without departing from the spirit and scope of the present teachings.
In accordance with a preferred embodiment of the present invention, an alternate configuration for computer system 100 is illustrated in FIG. 8. Subsystem 800 of computer system 100 comprises a video processor 870, a second processor 840, and a second memory data storage area 830. The demarcation line illustrated by subsystem 800 may be either physical or logical. For example, subsystem 800 may comprise an add-on card, such as a high end video card, or a video/network card. If configured in this exemplary manner, a user could upgrade an existing computer system to take advantage of features of the present invention. In the exemplary embodiment of FIG. 8, second processor 840 and video processor 870 are integrated together, perhaps on a common integrated circuit. Such a configuration may help to reduce the cost of subsystem 800, and/or improve the performance. Additionally, a circuit designer may find it advantageous to integrate 840 and 870 together to facilitate communication between the functions. It is understood that such an integration of functions may create a device in which an external user may find it difficult to distinguish where the function of 870 ends and the function of 840 begins, and vice versa. Such a device, however, would remain within the spirit and scope of the present teachings.
In accordance with a preferred embodiment of the present invention, an alternate configuration for computer system 100 is illustrated in FIG. 9. Computer system 100 comprises a video processor 970, processor 960, and a memory data storage area 950. Processor 960 may further comprise multiple processor cores, illustrated by 1st processor 920 and 2nd processor 940. It is understood that processor 960 may contain more than 2 processor cores. Microprocessors manufactured with multiple processor cores are becoming common in the industry, and such multi-core processors may be particularly advantageous when used in accordance with the present teachings. Memory data storage area 950 may further comprise 1st memory data storage area 910 and 2nd memory data storage area 930. Memory areas 910 and 930 may comprise, for example, different partitions on a single hard drive, and/or different address ranges in a RAM bank.
Referring again to FIG. 9, the functions carried out by processors 920 and 940 may comprise separate, secure logical processes executing on the same physical processor. For example, a first logical process may comprise executing instructions necessary to carry out the functions of an operating system, or the first logical process may comprise executing instructions necessary to carry out the functions of a first computer program, including but not limited to a word processor. A second logical process may comprise executing instructions necessary to carry out the functions of a web browser program, or may comprise executing instructions necessary to carry out the functions of an instant messenger program, for example. A computer system 100 constructed in accordance with the principles of the present invention would be capable of disallowing a secure logical process, such as the second logical process described above, access to certain memory spaces, and/or disallowing a secure logical process from initiating access to another logical process. For example, the functions carried out by P2 140 (FIG. 1) may comprise a secure logical process, which may be configured to be unable to automatically initiate access to either M1 110 or another logical process performing the functions of P1 120. Additionally, memory areas 910 and 930 may comprise separate, isolated memory zones within a common physical memory space, such as separate partitions within the same hard drive, for example.
Some malware programs are designed to secretly record user input commands (such as keystrokes, for example), then send the information back to a host computer. This type of malware is capable of stealing important user information, such as passwords, bank account numbers, social security numbers, driver's license numbers, credit account numbers, etc. Theft of such personal information could result in the theft of actual assets (money or securities, etc.) or perhaps used for identity theft, among other malicious intents. Clearly, a computer system capable of ensuring the protection of such sensitive information would be desirable.
In accordance with an embodiment of the present invention, a computer system is configured such that attempts by malware to record and report data entry by the computer user via input devices such as keyboards, mouse clicks, microphones, or any other data input devices are effectively blocked. Encryption of user input data, such as keystrokes, is an effective means of protecting such data from theft by malware. Specific techniques used for data encryption and decryption are well known in the art, and need not be discussed further here. There are many examples in the art that may be examined to better understand various encryption/decryption techniques and the use of encryption/decryption in computer systems. Among these are U.S. Pat. No. 6,581,162 entitled “Method for securely creating, storing and using encryption keys in a computer system.” issued to Angelo, et al., and U.S. Pat. No. 6,134,661 entitled “Computer network security device and method.” Issued to Topp. The aforementioned patents have been previously incorporated by reference.
In accordance with the present teachings, a method of operating a computer system involving data encryption is described. In step 1010, a user opens a protected process where some level of data encryption is desired, for example, the encryption of sensitive user interface data or user files. Other data may be encrypted as desired. At step 1020, processor P1 120 instructs processor P2 140 to initiate a protected process and open a process window. P1 120 encrypts the sensitive data and passes the user interface data to P2 140 when a P2 140 window is selected or active (step 1030). P2 140 generates video data for the P2 140 process window(s) and passes the video data to video processor 170 (step 1040). Video processor 170 decrypts the sensitive data and interleaves the video data from all P1 and P2 processes (step 1050). P2 140 passes the encrypted sensitive data to network interface device 190 (step 1060). Network interface device 190 decrypts the sensitive data and passes the decrypted sensitive data to network 195. Of course, other methods of operating a computer system in which data is encrypted prior to being passed to P2 140, and decrypted after leaving the control of P2 140, are within the spirit and scope of the present teachings.
In accordance with a preferred embodiment of the present invention, data desired to be protected is encrypted prior to sending the data to processor P2 140, which may be running one or more malware processes. Processor P2 140 does not have visibility to the decryption keys, and is therefore unable to decrypt the data. Data may be decrypted by network interface device 190 prior to forwarding the data on to network 195. Conversely, encrypted data may be sent directly over the network for decryption by another computer system, including, for example, an internet banking host computer. Decryption keys may be passed between P1 120 and network interface device 190 via a communication link 191. Video processor 170 may decrypt the data prior to displaying the data on video display 180, with decryption keys possibly passed between P1 120 and video processor 170 via a communication link 171. Conversely, data may be passed directly to video processor 170 via a communication link 151.
A user 160 may wish to encrypt just a portion of the data destined for the network, such as passwords, credit card numbers, etc. Conversely, a user may wish to encrypt large blocks of data, such as e-mails or large application files containing sensitive text and/or graphics. Instructions may be passed to network interface device 190 directing 190 to decrypt one or more specific data blocks prior to sending the data blocks to network 195. Conversely, instructions may be passed to network interface device 190 directing 190 to pass one or more specific data blocks to network 195 without decryption.
While this invention has been described with reference to illustrative embodiments, this description is not intended to be construed in a limiting sense. Various modifications and combinations of the illustrative embodiments, as well as other embodiments of the invention, will be apparent to persons skilled in the art upon reference to the description. It is therefore intended that the appended claims encompass any such modifications or embodiments.

Claims (25)

1. A method of operating a computer system having at least a first and second electronic data processor capable of executing instructions using a common operating system, comprising the steps of:
executing instructions in a first logical process within the common operating system using the first electronic data processor, wherein the first logical process is capable of accessing data contained in a first memory space and a second memory space;
executing instructions in a second logical process within the common operating system using the second electronic data processor, wherein the second logical process is capable of accessing data contained in the second memory space, the second logical process being further capable of exchanging data across a network of one or more computers;
displaying, in a windowed format on a display terminal, data from the first logical process and the second logical process, wherein a video processor is adapted to combine data from the first and second logical processes and transmit the combined data to the display terminal;
wherein the computer system is configured such that the second electronic data processor is operating in a protected mode and data residing on the first memory space is protected from corruption by a malware process downloaded from the network and executing as part of the second logical process.
2. The method of claim 1 wherein the first memory space and the second memory space comprise separate regions of a common memory space.
3. The method of claim 1 wherein the second logical process is selected from the group consisting of; an electronic mail process, an instant messaging process, an internet browser process, an interactive gaming process, a virtual private network (VPN) process, and a reader application process.
4. The method of claim 1 wherein the first logical process receives user interface data, and passes the user interface data to the second logical process.
5. The method of claim 1 wherein the first and second electronic data processors are part of a multi-core electronic data processor.
6. The method of claim 1 and further comprising the step of restoring at least one corrupted data file residing on the second memory space from an image residing on the first memory space.
7. The method of claim 1 and further comprising the step of automatically deleting at least one data file residing on the second memory space when the second logical process is terminated.
8. The method of claim 1 and further comprising the steps of:
encrypting data with the first logical process;
transferring the encrypted data from the first logical process to the second logical process;
transferring the encrypted data from the second logical process to the network interface device.
9. The method of claim 8 and further comprising the steps of:
decrypting the data with the network interface device;
transferring the decrypted data from the network interface device to the network.
10. A multi-processor computer system using a common operating system, comprising:
a first electronic data processor capable of executing instructions using the common operating system and communicatively coupled to a first memory space and a second memory space;
a second electronic data processor capable of executing instructions using the common operating system and communicatively coupled to the second memory space and to a network interface device, wherein the second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device;
a video processor adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format;
wherein the computer system is configured such that the second electronic data processor is operating in a protected mode and data residing on the first memory space is protected from corruption by a malware process downloaded from the network and executing on the second electronic data processor.
11. The computer system of claim 10 wherein the first memory space and the second memory space comprise separate regions of a common memory space.
12. The computer system of claim 10 wherein the first and second electronic data processors are part of a dual processor computer system.
13. The computer system of claim 10 wherein the second electronic data processor and the video processor are co-located on a circuit card, the circuit card being communicatively coupled to the first electronic data processor.
14. The computer system of claim 10 wherein the computer system is configured such that the first electronic data processor is protected from executing instructions initiated by a malware process downloaded from the network and executing on the second electronic data processor.
15. A multi-processor computer system using a common operating system, comprising:
at least a first and second electronic data processor capable of executing instructions using the common operating system;
at least a first and second memory space;
a video processor;
wherein the first and second electronic data processors, first and second memory space, and video processor are configured for performing the steps of:
executing instructions in a first logical process with the first electronic data processor, wherein the first logical process is executing within the common operating system and is capable of accessing data contained in the first memory space and the second memory space;
executing instructions in a second logical process with the second electronic data processor, wherein the second logical process is executing within the common operating system and is capable of accessing data contained in the second memory space, the second logical process being further capable of exchanging data across a network of one or more computers;
displaying, in a windowed format on a display terminal, data from the first logical process and the second logical process, wherein the video processor is adapted to combine data from the first and second logical processes and transmit the combined data to the display terminal;
wherein the computer system is configured such that the second electronic data processor is operating in a protected mode and data residing on the first memory space is protected from corruption by a malware process downloaded from the network and executing as part of the second logical process.
16. The computer system of claim 15 wherein the computer system is further configured such that the first logical process is protected from executing instructions initiated by a malware process downloaded from the network and executing as part of the second logical process.
17. The computer system of claim 15 and further comprising: at least one network interface device capable of exchanging data with both the second logical process and with the network.
18. The computer system of claim 17 wherein the network interface device is capable of decrypting data received from the second logical process and transmitting the decrypted data to the network while preventing the second logical process from accessing the decrypted data.
19. The computer system of claim 15 wherein the at least one electronic data processor is selected from the group consisting of: a multi-core electronic data processor; dual electronic data processors; and multiple electronic data processors.
20. The computer system of claim 15 and further configured for performing the step of: restoring at least one corrupted data file residing on the second memory space from an image residing on the first memory space.
21. A computer program product comprising a program code stored in a non-transitory computer readable medium configured to:
execute instructions in a first logical process with a first electronic data processor employing a common operating system, the first logical process being configured to access data in a first memory space and a second memory space;
execute instructions in a second logical process with a second electronic data processor employing the common operating system, the second logical process being configured to access data in the second memory space and exchange data across a network of one or more computers;
generate data from the first logical process and the second logical process for display; and
operate the second electronic data processor in a protected mode such that data residing in the first memory space is protected from corruption by a malware process downloaded from the network and executing as part of the second logical process.
22. The computer program product of claim 21 wherein said program code stored in said non-transitory computer readable medium is further configured to protect the first logical process from executing instructions initiated by the malware process downloaded from the network and executing as part of the second logical process.
23. The computer program product of claim 21 wherein the first and second electronic data processors are part of a multi-core electronic data processor.
24. The computer program product of claim 21 wherein said program code stored in said non-transitory computer readable medium is further configured to restore at least one corrupted data file residing on the second memory space from an image residing on the first memory space.
25. The computer program product of claim 21 wherein said program code stored in said non-transitory computer readable medium is further configured to automatically delete at least one data file residing on the second memory space when the second logical process is terminated.
US13/015,186 2004-08-07 2011-01-27 System and method for protecting a computer system from malicious software Active 2026-07-18 USRE43987E1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/015,186 USRE43987E1 (en) 2004-08-07 2011-01-27 System and method for protecting a computer system from malicious software

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US10/913,609 US7484247B2 (en) 2004-08-07 2004-08-07 System and method for protecting a computer system from malicious software
US12/854,149 USRE43103E1 (en) 2004-08-07 2010-08-10 System and method for protecting a computer system from malicious software
US13/015,186 USRE43987E1 (en) 2004-08-07 2011-01-27 System and method for protecting a computer system from malicious software

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US10/913,609 Reissue US7484247B2 (en) 2004-08-07 2004-08-07 System and method for protecting a computer system from malicious software

Publications (1)

Publication Number Publication Date
USRE43987E1 true USRE43987E1 (en) 2013-02-05

Family

ID=35759063

Family Applications (6)

Application Number Title Priority Date Filing Date
US10/913,609 Active - Reinstated 2026-07-18 US7484247B2 (en) 2004-08-07 2004-08-07 System and method for protecting a computer system from malicious software
US12/720,207 Active 2026-07-18 USRE43500E1 (en) 2004-08-07 2010-03-09 System and method for protecting a computer system from malicious software
US12/720,147 Active 2026-07-18 USRE43528E1 (en) 2004-08-07 2010-03-09 System and method for protecting a computer system from malicious software
US12/854,149 Active 2026-07-18 USRE43103E1 (en) 2004-08-07 2010-08-10 System and method for protecting a computer system from malicious software
US12/941,067 Active 2026-07-18 USRE43529E1 (en) 2004-08-07 2010-11-07 System and method for protecting a computer system from malicious software
US13/015,186 Active 2026-07-18 USRE43987E1 (en) 2004-08-07 2011-01-27 System and method for protecting a computer system from malicious software

Family Applications Before (5)

Application Number Title Priority Date Filing Date
US10/913,609 Active - Reinstated 2026-07-18 US7484247B2 (en) 2004-08-07 2004-08-07 System and method for protecting a computer system from malicious software
US12/720,207 Active 2026-07-18 USRE43500E1 (en) 2004-08-07 2010-03-09 System and method for protecting a computer system from malicious software
US12/720,147 Active 2026-07-18 USRE43528E1 (en) 2004-08-07 2010-03-09 System and method for protecting a computer system from malicious software
US12/854,149 Active 2026-07-18 USRE43103E1 (en) 2004-08-07 2010-08-10 System and method for protecting a computer system from malicious software
US12/941,067 Active 2026-07-18 USRE43529E1 (en) 2004-08-07 2010-11-07 System and method for protecting a computer system from malicious software

Country Status (1)

Country Link
US (6) US7484247B2 (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130347114A1 (en) * 2012-04-30 2013-12-26 Verint Systems Ltd. System and method for malware detection
US9923913B2 (en) 2013-06-04 2018-03-20 Verint Systems Ltd. System and method for malware detection learning
US10142426B2 (en) 2015-03-29 2018-11-27 Verint Systems Ltd. System and method for identifying communication session participants based on traffic patterns
US10198427B2 (en) 2013-01-29 2019-02-05 Verint Systems Ltd. System and method for keyword spotting using representative dictionary
US10491609B2 (en) 2016-10-10 2019-11-26 Verint Systems Ltd. System and method for generating data sets for learning to identify user actions
US10546008B2 (en) 2015-10-22 2020-01-28 Verint Systems Ltd. System and method for maintaining a dynamic dictionary
US10560842B2 (en) 2015-01-28 2020-02-11 Verint Systems Ltd. System and method for combined network-side and off-air monitoring of wireless networks
US10614107B2 (en) 2015-10-22 2020-04-07 Verint Systems Ltd. System and method for keyword searching using both static and dynamic dictionaries
US10630588B2 (en) 2014-07-24 2020-04-21 Verint Systems Ltd. System and method for range matching
US10958613B2 (en) 2018-01-01 2021-03-23 Verint Systems Ltd. System and method for identifying pairs of related application users
US10972558B2 (en) 2017-04-30 2021-04-06 Verint Systems Ltd. System and method for tracking users of computer applications
US10999295B2 (en) 2019-03-20 2021-05-04 Verint Systems Ltd. System and method for de-anonymizing actions and messages on networks
US11381977B2 (en) 2016-04-25 2022-07-05 Cognyte Technologies Israel Ltd. System and method for decrypting communication exchanged on a wireless local area network
US11399016B2 (en) 2019-11-03 2022-07-26 Cognyte Technologies Israel Ltd. System and method for identifying exchanges of encrypted communication traffic
US11403559B2 (en) 2018-08-05 2022-08-02 Cognyte Technologies Israel Ltd. System and method for using a user-action log to learn to classify encrypted traffic
US11575625B2 (en) 2017-04-30 2023-02-07 Cognyte Technologies Israel Ltd. System and method for identifying relationships between users of computer applications

Families Citing this family (136)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7506020B2 (en) 1996-11-29 2009-03-17 Frampton E Ellis Global network computers
US7926097B2 (en) 1996-11-29 2011-04-12 Ellis Iii Frampton E Computer or microchip protected from the internet by internal hardware
US20040003081A1 (en) * 2002-06-26 2004-01-01 Microsoft Corporation System and method for providing program credentials
US7757291B2 (en) * 2003-09-15 2010-07-13 Trigence Corp. Malware containment by application encapsulation
US9178784B2 (en) 2004-04-15 2015-11-03 Raytheon Company System and method for cluster management based on HPC architecture
US8335909B2 (en) 2004-04-15 2012-12-18 Raytheon Company Coupling processors to each other for high performance computing (HPC)
US8336040B2 (en) 2004-04-15 2012-12-18 Raytheon Company System and method for topology-aware job scheduling and backfilling in an HPC environment
US8707251B2 (en) * 2004-06-07 2014-04-22 International Business Machines Corporation Buffered viewing of electronic documents
US7484247B2 (en) * 2004-08-07 2009-01-27 Allen F Rozman System and method for protecting a computer system from malicious software
US8640194B2 (en) * 2004-08-25 2014-01-28 Nec Corporation Information communication device and program execution environment control method
US7533131B2 (en) * 2004-10-01 2009-05-12 Webroot Software, Inc. System and method for pestware detection and removal
KR20060061219A (en) * 2004-12-01 2006-06-07 주식회사 비에스텍 E n c r y p t i o n p r o c e s s o r
US7571475B2 (en) * 2005-04-05 2009-08-04 Cisco Technology, Inc. Method and electronic device for triggering zeroization in an electronic device
US7565695B2 (en) * 2005-04-12 2009-07-21 Webroot Software, Inc. System and method for directly accessing data from a data storage medium
US20060230455A1 (en) * 2005-04-12 2006-10-12 Yuan-Chang Lo Apparatus and methods for file system with write buffer to protect against malware
US8452744B2 (en) * 2005-06-06 2013-05-28 Webroot Inc. System and method for analyzing locked files
WO2006131921A2 (en) * 2005-06-08 2006-12-14 Discretix Technologies Ltd. Method, device, and system of maintaining a context of a secure execution environment
US7788132B2 (en) * 2005-06-29 2010-08-31 Google, Inc. Reviewing the suitability of Websites for participation in an advertising network
US20090144826A2 (en) * 2005-06-30 2009-06-04 Webroot Software, Inc. Systems and Methods for Identifying Malware Distribution
US7712132B1 (en) * 2005-10-06 2010-05-04 Ogilvie John W Detecting surreptitious spyware
US8381297B2 (en) 2005-12-13 2013-02-19 Yoggie Security Systems Ltd. System and method for providing network security to mobile devices
US8869270B2 (en) 2008-03-26 2014-10-21 Cupp Computing As System and method for implementing content and network security inside a chip
US20080276302A1 (en) 2005-12-13 2008-11-06 Yoggie Security Systems Ltd. System and Method for Providing Data and Device Security Between External and Host Devices
JP5203969B2 (en) * 2006-01-17 2013-06-05 キダロ (イスラエル) リミテッド Securing data in a networked environment
US8606895B2 (en) * 2006-01-17 2013-12-10 Kidaro (Israel) Ltd. Seamless integration of multiple computing environments
US20070168694A1 (en) * 2006-01-18 2007-07-19 Phil Maddaloni System and method for identifying and removing pestware using a secondary operating system
US9112897B2 (en) * 2006-03-30 2015-08-18 Advanced Network Technology Laboratories Pte Ltd. System and method for securing a network session
US8434148B2 (en) * 2006-03-30 2013-04-30 Advanced Network Technology Laboratories Pte Ltd. System and method for providing transactional security for an end-user device
US9547485B2 (en) 2006-03-31 2017-01-17 Prowess Consulting, Llc System and method for deploying a virtual machine
US20070234337A1 (en) * 2006-03-31 2007-10-04 Prowess Consulting, Llc System and method for sanitizing a computer program
US20070237088A1 (en) * 2006-04-05 2007-10-11 Honeywell International. Inc Apparatus and method for providing network security
US8539581B2 (en) * 2006-04-27 2013-09-17 The Invention Science Fund I, Llc Efficient distribution of a malware countermeasure
US8966630B2 (en) * 2006-04-27 2015-02-24 The Invention Science Fund I, Llc Generating and distributing a malware countermeasure
US8191145B2 (en) * 2006-04-27 2012-05-29 The Invention Science Fund I, Llc Virus immunization using prioritized routing
US7917956B2 (en) 2006-04-27 2011-03-29 The Invention Science Fund I, Llc Multi-network virus immunization
US8613095B2 (en) * 2006-06-30 2013-12-17 The Invention Science Fund I, Llc Smart distribution of a malware countermeasure
US8151353B2 (en) 2006-04-27 2012-04-03 The Invention Science Fund I, Llc Multi-network virus immunization with trust aspects
US8863285B2 (en) * 2006-04-27 2014-10-14 The Invention Science Fund I, Llc Virus immunization using prioritized routing
US7934260B2 (en) * 2006-04-27 2011-04-26 The Invention Science Fund I, Llc Virus immunization using entity-sponsored bypass network
US8117654B2 (en) * 2006-06-30 2012-02-14 The Invention Science Fund I, Llc Implementation of malware countermeasures in a network device
US9258327B2 (en) 2006-04-27 2016-02-09 Invention Science Fund I, Llc Multi-network virus immunization
US7849508B2 (en) * 2006-04-27 2010-12-07 The Invention Science Fund I, Llc Virus immunization using entity-sponsored bypass network
US8888585B1 (en) * 2006-05-10 2014-11-18 Mcafee, Inc. Game console system, method and computer program product with anti-malware/spyware and parental control capabilities
US8185737B2 (en) 2006-06-23 2012-05-22 Microsoft Corporation Communication across domains
US7996903B2 (en) 2006-07-07 2011-08-09 Webroot Software, Inc. Method and system for detecting and removing hidden pestware files
US8190868B2 (en) 2006-08-07 2012-05-29 Webroot Inc. Malware management through kernel detection
JP4895718B2 (en) * 2006-08-14 2012-03-14 株式会社リコー Image forming apparatus, data recovery method, and recording medium
US8136162B2 (en) * 2006-08-31 2012-03-13 Broadcom Corporation Intelligent network interface controller
US8056134B1 (en) 2006-09-10 2011-11-08 Ogilvie John W Malware detection and identification via malware spoofing
US9639696B1 (en) * 2006-09-29 2017-05-02 Symantec Operating Corporation Method and apparatus for analyzing end user license agreements
US7941852B2 (en) * 2006-10-04 2011-05-10 Symantec Corporation Detecting an audio/visual threat
US8590002B1 (en) 2006-11-29 2013-11-19 Mcafee Inc. System, method and computer program product for maintaining a confidentiality of data on a network
US20080182667A1 (en) * 2007-01-25 2008-07-31 Igt, Inc. Method of securing data on a portable gaming device from tampering
US8621008B2 (en) 2007-04-26 2013-12-31 Mcafee, Inc. System, method and computer program product for performing an action based on an aspect of an electronic mail message thread
US8726041B2 (en) * 2007-05-09 2014-05-13 Sony Corporation Methods and apparatus for generating a random number in one or more isolated processors
US8365272B2 (en) 2007-05-30 2013-01-29 Yoggie Security Systems Ltd. System and method for providing network and computer firewall protection with dynamic address isolation to a device
US10019570B2 (en) 2007-06-14 2018-07-10 Microsoft Technology Licensing, Llc Protection and communication abstractions for web browsers
US8199965B1 (en) 2007-08-17 2012-06-12 Mcafee, Inc. System, method, and computer program product for preventing image-related data loss
US20130276061A1 (en) 2007-09-05 2013-10-17 Gopi Krishna Chebiyyam System, method, and computer program product for preventing access to data with respect to a data access attempt associated with a remote data sharing session
US8446607B2 (en) * 2007-10-01 2013-05-21 Mcafee, Inc. Method and system for policy based monitoring and blocking of printing activities on local and network printers
US8424078B2 (en) * 2007-11-06 2013-04-16 International Business Machines Corporation Methodology for secure application partitioning enablement
WO2009094371A1 (en) * 2008-01-22 2009-07-30 Authentium, Inc. Trusted secure desktop
US8918865B2 (en) * 2008-01-22 2014-12-23 Wontok, Inc. System and method for protecting data accessed through a network connection
US8893285B2 (en) 2008-03-14 2014-11-18 Mcafee, Inc. Securing data using integrated host-based data loss agent with encryption detection
US9524344B2 (en) * 2008-06-03 2016-12-20 Microsoft Corporation User interface for online ads
US20090299862A1 (en) * 2008-06-03 2009-12-03 Microsoft Corporation Online ad serving
US8813050B2 (en) * 2008-06-03 2014-08-19 Isight Partners, Inc. Electronic crime detection and tracking
US8151073B2 (en) * 2008-06-25 2012-04-03 Fac Systems Inc. Security system for computers
US20090327869A1 (en) * 2008-06-27 2009-12-31 Microsoft Corporation Online ad serving
US7530106B1 (en) * 2008-07-02 2009-05-05 Kaspersky Lab, Zao System and method for security rating of computer processes
US8631488B2 (en) 2008-08-04 2014-01-14 Cupp Computing As Systems and methods for providing security services during power management mode
US9077684B1 (en) 2008-08-06 2015-07-07 Mcafee, Inc. System, method, and computer program product for determining whether an electronic mail message is compliant with an etiquette policy
KR101012669B1 (en) * 2008-09-25 2011-02-11 주식회사 안철수연구소 Malicious program detector for scanning a illegal memory access and method thereof
JP4696151B2 (en) * 2008-10-23 2011-06-08 株式会社エヌ・ティ・ティ・ドコモ Information processing apparatus and memory management method
US9166797B2 (en) * 2008-10-24 2015-10-20 Microsoft Technology Licensing, Llc Secured compartment for transactions
US8789202B2 (en) 2008-11-19 2014-07-22 Cupp Computing As Systems and methods for providing real time access monitoring of a removable media device
US8607345B1 (en) 2008-12-16 2013-12-10 Trend Micro Incorporated Method and apparatus for generic malware downloader detection and prevention
US11489857B2 (en) 2009-04-21 2022-11-01 Webroot Inc. System and method for developing a risk profile for an internet resource
KR101135629B1 (en) * 2009-10-26 2012-04-17 한국전자통신연구원 Method and apparatus for preventing autorun of portable USB storage
US20110111863A1 (en) * 2009-11-12 2011-05-12 Daniel Kaminsky Method and apparatus for securing networked gaming devices
US8494974B2 (en) * 2010-01-18 2013-07-23 iSIGHT Partners Inc. Targeted security implementation through security loss forecasting
US8429735B2 (en) 2010-01-26 2013-04-23 Frampton E. Ellis Method of using one or more secure private networks to actively configure the hardware of a computer or microchip
US8255986B2 (en) * 2010-01-26 2012-08-28 Frampton E. Ellis Methods of securely controlling through one or more separate private networks an internet-connected computer having one or more hardware-based inner firewalls or access barriers
US20110213809A1 (en) * 2010-03-01 2011-09-01 Panda Security, S.L. Method, a system and a computer program product for protecting a data-storing device
US8495739B2 (en) 2010-04-07 2013-07-23 International Business Machines Corporation System and method for ensuring scanning of files without caching the files to network device
US20110273452A1 (en) * 2010-05-10 2011-11-10 Nokia Siemens Networks Oy Data display
US9202049B1 (en) * 2010-06-21 2015-12-01 Pulse Secure, Llc Detecting malware on mobile devices
US8082585B1 (en) * 2010-09-13 2011-12-20 Raymond R. Givonetti Protecting computers from malware using a hardware solution that is not alterable by any software
CN102436559B (en) * 2010-09-29 2016-06-01 联想(北京)有限公司 A kind of state switching method and system
US8438644B2 (en) 2011-03-07 2013-05-07 Isight Partners, Inc. Information system security based on threat vectors
KR20120118353A (en) * 2011-04-18 2012-10-26 삼성전자주식회사 Broadcast receiving apparatus and method of installing service
RU2506638C2 (en) * 2011-06-28 2014-02-10 Закрытое акционерное общество "Лаборатория Касперского" System and method for hardware detection and cleaning of unknown malware installed on personal computer
US20130096980A1 (en) * 2011-10-18 2013-04-18 Mcafee, Inc. User-defined countermeasures
TWI619038B (en) * 2011-11-07 2018-03-21 Admedec Co Ltd Safety box
US9047456B2 (en) 2012-03-20 2015-06-02 Canon Information And Imaging Solutions, Inc. System and method for controlling access to a resource
US8832837B2 (en) * 2012-06-29 2014-09-09 Mcafee Inc. Preventing attacks on devices with multiple CPUs
US8938796B2 (en) 2012-09-20 2015-01-20 Paul Case, SR. Case secure computer architecture
US11126720B2 (en) 2012-09-26 2021-09-21 Bluvector, Inc. System and method for automated machine-learning, zero-day malware detection
US9292688B2 (en) 2012-09-26 2016-03-22 Northrop Grumman Systems Corporation System and method for automated machine-learning, zero-day malware detection
RU2531565C2 (en) 2012-09-28 2014-10-20 Закрытое акционерное общество "Лаборатория Касперского" System and method for analysing file launch events for determining safety ranking thereof
EP2904743B1 (en) 2012-10-02 2017-09-06 Mordecai Barkan Secure computer architectures, systems, and applications
US11188652B2 (en) 2012-10-02 2021-11-30 Mordecai Barkan Access management and credential protection
US9342695B2 (en) 2012-10-02 2016-05-17 Mordecai Barkan Secured automated or semi-automated systems
US9672360B2 (en) 2012-10-02 2017-06-06 Mordecai Barkan Secure computer architectures, systems, and applications
WO2014059037A2 (en) 2012-10-09 2014-04-17 Cupp Computing As Transaction security systems and methods
EP2973172B1 (en) 2013-03-12 2017-07-26 Intel Corporation Preventing malicious instruction execution
US9501645B2 (en) * 2013-03-15 2016-11-22 Rudolf H. Hendel System and method for the protection of computers and computer networks against cyber threats
WO2014185893A1 (en) * 2013-05-14 2014-11-20 Hewlett-Packard Development Company, L.P. Detection of a security event
WO2014204363A1 (en) * 2013-06-19 2014-12-24 Telefonaktiebolaget L M Ericsson (Publ) Method and an integrated circuit for executing a trusted application within a trusted runtime environment
WO2015006375A1 (en) 2013-07-08 2015-01-15 Cupp Computing As Systems and methods for providing digital content marketplace security
US9177150B1 (en) 2013-12-04 2015-11-03 Google Inc. Detecting setting tampering
US9870116B1 (en) 2013-12-09 2018-01-16 Google Llc Controlling actions for browser extensions
WO2015123611A2 (en) 2014-02-13 2015-08-20 Cupp Computing As Systems and methods for providing network security using a secure digital device
US9749344B2 (en) 2014-04-03 2017-08-29 Fireeye, Inc. System and method of cyber threat intensity determination and application to cyber threat mitigation
US9749343B2 (en) 2014-04-03 2017-08-29 Fireeye, Inc. System and method of cyber threat structure mapping and application to cyber threat mitigation
US9372996B2 (en) * 2014-05-15 2016-06-21 International Business Machines Corporation Protecting data owned by an operating system in a multi-operating system mobile environment
US20160006754A1 (en) * 2014-07-01 2016-01-07 Mcafee, Inc. Secure enclave-rendered contents
JP6916112B2 (en) 2014-11-21 2021-08-11 ブルヴェクター, インコーポレーテッドBluvector, Inc. Network data characterization system and method
US9892261B2 (en) 2015-04-28 2018-02-13 Fireeye, Inc. Computer imposed countermeasures driven by malware lineage
US11176240B1 (en) * 2021-04-20 2021-11-16 Stanley Kevin Miles Multi-transfer resource allocation using modified instances of corresponding records in memory
US11461456B1 (en) * 2015-06-19 2022-10-04 Stanley Kevin Miles Multi-transfer resource allocation using modified instances of corresponding records in memory
US10715533B2 (en) * 2016-07-26 2020-07-14 Microsoft Technology Licensing, Llc. Remediation for ransomware attacks on cloud drive folders
US10540498B2 (en) * 2016-08-12 2020-01-21 Intel Corporation Technologies for hardware assisted native malware detection
US10628585B2 (en) 2017-01-23 2020-04-21 Microsoft Technology Licensing, Llc Ransomware resilient databases
KR101997254B1 (en) * 2017-05-10 2019-07-08 김덕우 Computer having isolated user computing part
KR101920866B1 (en) * 2017-05-18 2018-11-21 김덕우 An auxiliary memory device having independent recovery region
US10061923B1 (en) * 2017-06-26 2018-08-28 Pritam Nath Safe and secure internet or network connected computing machine providing means for processing, manipulating, receiving, transmitting and storing information free from hackers, hijackers, virus, malware etc.
US11750623B2 (en) * 2017-09-04 2023-09-05 ITsMine Ltd. System and method for conducting a detailed computerized surveillance in a computerized environment
US10924377B2 (en) * 2018-09-11 2021-02-16 Citrix Systems, Inc. Systems and methods for application scripts for cross-domain applications
CN110505283B (en) * 2019-07-31 2022-10-21 湖南微算互联信息技术有限公司 Automatic maintenance system and method based on cloud mobile phone
US11625505B2 (en) * 2019-08-19 2023-04-11 Microsoft Technology Licensing, Llc Processor with network stack domain and system domain using separate memory regions
US11470118B2 (en) 2019-11-01 2022-10-11 Microsoft Technology Licensing, Llc Processor with network processing stack having separate binary
WO2021211091A1 (en) * 2020-04-13 2021-10-21 KameleonSec Ltd. Secure processing engine for securing a computing system
US11403403B2 (en) 2020-04-13 2022-08-02 KameleonSec Ltd. Secure processing engine for securing a computing system
US11586727B2 (en) * 2021-03-29 2023-02-21 Red Hat, Inc. Systems and methods for preventing kernel stalling attacks
US11599636B1 (en) * 2022-07-27 2023-03-07 Aurora Security Llc Systems and methods for managing and providing software packages which have undergone malware and/or vulnerability analysis

Citations (104)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4890098A (en) 1987-10-20 1989-12-26 International Business Machines Corporation Flexible window management on a computer display
US5280579A (en) 1990-09-28 1994-01-18 Texas Instruments Incorporated Memory mapped interface between host computer and graphics system
US5502808A (en) 1991-07-24 1996-03-26 Texas Instruments Incorporated Video graphics display system with adapter for display management based upon plural memory sources
US5555364A (en) 1994-08-23 1996-09-10 Prosoft Corporation Windowed computer display
US5564051A (en) * 1989-08-03 1996-10-08 International Business Machines Corporation Automatic update of static and dynamic files at a remote network node in response to calls issued by or for application programs
US5666030A (en) 1994-07-20 1997-09-09 Ncr Corporation Multiple window generation in computer display
US5673403A (en) * 1992-11-13 1997-09-30 International Business Machines Corporation Method and system for displaying applications of different operating systems on a single system using the user interface of the different operating systems
US5751979A (en) * 1995-05-31 1998-05-12 Unisys Corporation Video hardware for protected, multiprocessing systems
US5826013A (en) 1995-09-28 1998-10-20 Symantec Corporation Polymorphic virus detection module
US5918039A (en) 1995-12-29 1999-06-29 Wyse Technology, Inc. Method and apparatus for display of windowing application programs on a terminal
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US5978917A (en) 1997-08-14 1999-11-02 Symantec Corporation Detection and elimination of macro viruses
US5995103A (en) 1996-05-10 1999-11-30 Apple Computer, Inc. Window grouping mechanism for creating, manipulating and displaying windows and window groups on a display screen of a computer system
US6091412A (en) 1997-09-30 2000-07-18 The United States Of America As Represented By The Secretary Of The Navy Universal client device permitting a computer to receive and display information from several special applications
US6108715A (en) 1994-12-13 2000-08-22 Microsoft Corporation Method and system for invoking remote procedure calls
US6134661A (en) 1998-02-11 2000-10-17 Topp; William C. Computer network security device and method
US6167522A (en) 1997-04-01 2000-12-26 Sun Microsystems, Inc. Method and apparatus for providing security for servers executing application programs received via a network
US6183366B1 (en) 1996-01-19 2001-02-06 Sheldon Goldberg Network gaming system
US6192477B1 (en) * 1999-02-02 2001-02-20 Dagg Llc Methods, software, and apparatus for secure communication over a computer network
US6199181B1 (en) * 1997-09-09 2001-03-06 Perfecto Technologies Ltd. Method and system for maintaining restricted operating environments for application programs or operating systems
US6216112B1 (en) 1998-05-27 2001-04-10 William H. Fuller Method for software distribution and compensation with replenishable advertisements
US6275938B1 (en) 1997-08-28 2001-08-14 Microsoft Corporation Security enhancement for untrusted executable code
US6285987B1 (en) 1997-01-22 2001-09-04 Engage, Inc. Internet advertising system
US20020002673A1 (en) * 2000-06-30 2002-01-03 Microsoft Corporation System and method for integrating secure and non-secure software objects
US6351816B1 (en) 1996-05-30 2002-02-26 Sun Microsystems, Inc. System and method for securing a program's execution in a network environment
US20020052809A1 (en) * 2000-11-02 2002-05-02 Orell Fussli Security Documents Ag Method for verifying the authenticity of articles
US6385721B1 (en) * 1999-01-22 2002-05-07 Hewlett-Packard Company Computer with bootable hibernation partition
US6397242B1 (en) 1998-05-15 2002-05-28 Vmware, Inc. Virtualization system including a virtual machine monitor for a computer with a segmented architecture
US20020066016A1 (en) 2000-03-15 2002-05-30 International Business Machines Corporation Access control for computers
US6401134B1 (en) 1997-07-25 2002-06-04 Sun Microsystems, Inc. Detachable java applets
US6433794B1 (en) 1998-07-31 2002-08-13 International Business Machines Corporation Method and apparatus for selecting a java virtual machine for use with a browser
US6438600B1 (en) 1999-01-29 2002-08-20 International Business Machines Corporation Securely sharing log-in credentials among trusted browser-based applications
US6480198B2 (en) 1997-06-27 2002-11-12 S3 Graphics Co., Ltd. Multi-function controller and method for a computer graphics display system
US20020174349A1 (en) 2001-05-15 2002-11-21 Wolff Daniel Joseph Detecting malicious alteration of stored computer files
US6492995B1 (en) 1999-04-26 2002-12-10 International Business Machines Corporation Method and system for enabling localization support on web applications
US6505300B2 (en) 1998-06-12 2003-01-07 Microsoft Corporation Method and system for secure running of untrusted content
US6507904B1 (en) 2000-03-31 2003-01-14 Intel Corporation Executing isolated mode instructions in a secure system running in privilege rings
US6507948B1 (en) 1999-09-02 2003-01-14 International Business Machines Corporation Method, system, and program for generating batch files
US20030023857A1 (en) 2001-07-26 2003-01-30 Hinchliffe Alexander James Malware infection suppression
US6546554B1 (en) 2000-01-21 2003-04-08 Sun Microsystems, Inc. Browser-independent and automatic apparatus and method for receiving, installing and launching applications from a browser on a client computer
US6553377B1 (en) 2000-03-31 2003-04-22 Network Associates, Inc. System and process for maintaining a plurality of remote security applications using a modular framework in a distributed computing environment
US20030097591A1 (en) 2001-11-20 2003-05-22 Khai Pham System and method for protecting computer users from web sites hosting computer viruses
US6578140B1 (en) * 2000-04-13 2003-06-10 Claude M Policard Personal computer having a master computer system and an internet computer system and monitoring a condition of said master and internet computer systems
US6581162B1 (en) 1996-12-31 2003-06-17 Compaq Information Technologies Group, L.P. Method for securely creating, storing and using encryption keys in a computer system
US20030131152A1 (en) 2001-09-20 2003-07-10 Ulfar Erlingsson Altered states of software component behavior
US20030177397A1 (en) 2000-08-31 2003-09-18 Ben Samman Virus protection in an internet environment
US6633963B1 (en) 2000-03-31 2003-10-14 Intel Corporation Controlling access to multiple memory zones in an isolated execution environment
US20030221114A1 (en) * 2002-03-08 2003-11-27 International Business Machines Corporation Authentication system and method
US6658573B1 (en) 1997-01-17 2003-12-02 International Business Machines Corporation Protecting resources in a distributed computer system
US6663000B1 (en) 2002-08-01 2003-12-16 Networks Associates Technology, Inc. Validating components of a malware scanner
US20040006706A1 (en) * 2002-06-06 2004-01-08 Ulfar Erlingsson Methods and systems for implementing a secure application execution environment using derived user accounts for internet content
US20040006715A1 (en) 2002-07-05 2004-01-08 Skrepetos Nicholas C. System and method for providing security to a remote computer over a network browser interface
US6678712B1 (en) * 1996-01-19 2004-01-13 International Business Machines Corporation Method and system for executing a program under one of a plurality of mutually exclusive operating environments
US6678825B1 (en) 2000-03-31 2004-01-13 Intel Corporation Controlling access to multiple isolated memories in an isolated execution environment
US6691230B1 (en) 1998-10-15 2004-02-10 International Business Machines Corporation Method and system for extending Java applets sand box with public client storage
US20040034794A1 (en) 2000-05-28 2004-02-19 Yaron Mayer System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US20040039944A1 (en) * 2002-07-08 2004-02-26 Teiji Karasaki System and method for secure wall
US20040054588A1 (en) 1999-12-08 2004-03-18 Jacobs Paul E. E-mail software and method and system for distributing advertisements to client devices that have such e-mail software installed thereon
US6735700B1 (en) 2000-01-11 2004-05-11 Network Associates Technology, Inc. Fast virus scanning using session stamping
US6754815B1 (en) * 2000-03-31 2004-06-22 Intel Corporation Method and system for scrubbing an isolated area of memory after reset of a processor operating in isolated execution mode if a cleanup flag is set
US6757685B2 (en) 2001-02-19 2004-06-29 Hewlett-Packard Development Company, L.P. Process for executing a downloadable service receiving restrictive access rights to at least one profile file
US6756236B2 (en) 2000-12-05 2004-06-29 Sony International (Europe) Gmbh Method of producing a ferroelectric memory and a memory device
US6772345B1 (en) 2002-02-08 2004-08-03 Networks Associates Technology, Inc. Protocol-level malware scanner
US20040199763A1 (en) 2003-04-01 2004-10-07 Zone Labs, Inc. Security System with Methodology for Interprocess Communication Control
US6804780B1 (en) 1996-11-08 2004-10-12 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6836885B1 (en) 1998-09-21 2004-12-28 Wyse Technology Inc. Method and apparatus for display of windowing application programs on a terminal
US20040267929A1 (en) * 2003-06-27 2004-12-30 Servgate Technologies, Inc Method, system and computer program products for adaptive web-site access blocking
US20050005153A1 (en) * 2003-06-30 2005-01-06 Kaustubh Das Processor based system and method for virus detection
US6871348B1 (en) * 1999-09-15 2005-03-22 Intel Corporation Method and apparatus for integrating the user interfaces of multiple applications into one application
US6873988B2 (en) 2001-07-06 2005-03-29 Check Point Software Technologies, Inc. System and methods providing anti-virus cooperative enforcement
US6880110B2 (en) 2000-05-19 2005-04-12 Self Repairing Computers, Inc. Self-repairing computer having protected software template and isolated trusted computing environment for automated recovery from virus and hacker attack
US20050149726A1 (en) * 2003-10-21 2005-07-07 Amit Joshi Systems and methods for secure client applications
US20050198692A1 (en) * 2004-03-02 2005-09-08 International Business Machines Corporation System and method of protecting a computing system from harmful active content in documents
US20050240810A1 (en) 2004-04-06 2005-10-27 Safford Kevin D Off-chip lockstep checking
US20060004667A1 (en) 2004-06-30 2006-01-05 Microsoft Corporation Systems and methods for collecting operating system license revenue using an emulated computing environment
US6990630B2 (en) 1998-05-15 2006-01-24 Unicast Communications Corporation Technique for implementing browser-initiated user-transparent network-distributed advertising and for interstitially displaying an advertisement, so distributed, through a web browser in response to a user click-stream
US6996828B1 (en) * 1997-09-12 2006-02-07 Hitachi, Ltd. Multi-OS configuration method
US7013484B1 (en) * 2000-03-31 2006-03-14 Intel Corporation Managing a secure environment using a chipset in isolated execution mode
US7024581B1 (en) * 2002-10-09 2006-04-04 Xpoint Technologies, Inc. Data processing recovery system and method spanning multiple operating system
US7024555B2 (en) * 2001-11-01 2006-04-04 Intel Corporation Apparatus and method for unilaterally loading a secure operating system within a multiprocessor environment
US7062672B2 (en) 2001-06-08 2006-06-13 Hewlett-Packard Development Company, L.P. Method of and computer network arrangement for restoring an impaired software image
US7082615B1 (en) * 2000-03-31 2006-07-25 Intel Corporation Protecting software environment in isolated execution
US7085928B1 (en) 2000-03-31 2006-08-01 Cigital System and method for defending against malicious software
US7096381B2 (en) 2001-05-21 2006-08-22 Self Repairing Computer, Inc. On-the-fly repair of a computer
US7139890B2 (en) 2002-04-30 2006-11-21 Intel Corporation Methods and arrangements to interface memory
US7146640B2 (en) * 2002-09-05 2006-12-05 Exobox Technologies Corp. Personal computer internet security system
US7146305B2 (en) * 2000-10-24 2006-12-05 Vcis, Inc. Analytical virtual machine
US7181768B1 (en) 1999-10-28 2007-02-20 Cigital Computer intrusion detection system and method based on application monitoring
US7191469B2 (en) 2002-05-13 2007-03-13 Green Border Technologies Methods and systems for providing a secure application environment using derived user accounts
US7246374B1 (en) 2000-03-13 2007-07-17 Microsoft Corporation Enhancing computer system security via multiple user desktops
US7284274B1 (en) 2001-01-18 2007-10-16 Cigital, Inc. System and method for identifying and eliminating vulnerabilities in computer software applications
US7373505B2 (en) 2004-04-15 2008-05-13 Microsoft Corporation Displaying a security element with a browser window
US7401230B2 (en) 2004-03-31 2008-07-15 Intel Corporation Secure virtual machine monitor to tear down a secure execution environment
US7421689B2 (en) 2003-10-28 2008-09-02 Hewlett-Packard Development Company, L.P. Processor-architecture for facilitating a virtual machine monitor
US7444412B2 (en) 2001-06-08 2008-10-28 Hewlett-Packard Development Company, L.P. Data processing system and method
US7484247B2 (en) * 2004-08-07 2009-01-27 Allen F Rozman System and method for protecting a computer system from malicious software
US7565522B2 (en) 2004-05-10 2009-07-21 Intel Corporation Methods and apparatus for integrity measurement of virtual machine monitor and operating system via secure launch
US7596694B1 (en) 2004-03-08 2009-09-29 Hewlett-Packard Development Company, L.P. System and method for safely executing downloaded code on a computer system
US7657419B2 (en) * 2001-06-19 2010-02-02 International Business Machines Corporation Analytical virtual machine
US7676842B2 (en) 2002-04-13 2010-03-09 Computer Associates Think, Inc. System and method for detecting malicious code
US7730318B2 (en) * 2003-10-24 2010-06-01 Microsoft Corporation Integration of high-assurance features into an application through application factoring
US7818808B1 (en) * 2000-12-27 2010-10-19 Intel Corporation Processor mode for limiting the operation of guest software running on a virtual machine supported by a virtual machine monitor
US7849310B2 (en) * 2002-11-18 2010-12-07 Arm Limited Switching between secure and non-secure processing modes
US7854008B1 (en) * 2007-08-10 2010-12-14 Fortinet, Inc. Software-hardware partitioning in a virus processing system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US586013A (en) * 1897-07-06 Cartridge-loading implement
US6658576B1 (en) * 1999-09-29 2003-12-02 Smartpower Corporation Energy-conserving communication apparatus selectively switching between a main processor with main operating instructions and keep-alive processor with keep-alive operating instruction
US6456554B1 (en) * 1999-10-19 2002-09-24 Texas Instruments Incorporated Chip identifier and method of fabrication
US7788669B2 (en) * 2003-05-02 2010-08-31 Microsoft Corporation System for isolating first computing environment from second execution environment while sharing resources by copying data from first portion to second portion of memory

Patent Citations (111)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4890098A (en) 1987-10-20 1989-12-26 International Business Machines Corporation Flexible window management on a computer display
US5564051A (en) * 1989-08-03 1996-10-08 International Business Machines Corporation Automatic update of static and dynamic files at a remote network node in response to calls issued by or for application programs
US5280579A (en) 1990-09-28 1994-01-18 Texas Instruments Incorporated Memory mapped interface between host computer and graphics system
US5502808A (en) 1991-07-24 1996-03-26 Texas Instruments Incorporated Video graphics display system with adapter for display management based upon plural memory sources
US5673403A (en) * 1992-11-13 1997-09-30 International Business Machines Corporation Method and system for displaying applications of different operating systems on a single system using the user interface of the different operating systems
US5666030A (en) 1994-07-20 1997-09-09 Ncr Corporation Multiple window generation in computer display
US5555364A (en) 1994-08-23 1996-09-10 Prosoft Corporation Windowed computer display
US6108715A (en) 1994-12-13 2000-08-22 Microsoft Corporation Method and system for invoking remote procedure calls
US5751979A (en) * 1995-05-31 1998-05-12 Unisys Corporation Video hardware for protected, multiprocessing systems
US5826013A (en) 1995-09-28 1998-10-20 Symantec Corporation Polymorphic virus detection module
US5918039A (en) 1995-12-29 1999-06-29 Wyse Technology, Inc. Method and apparatus for display of windowing application programs on a terminal
US6183366B1 (en) 1996-01-19 2001-02-06 Sheldon Goldberg Network gaming system
US6678712B1 (en) * 1996-01-19 2004-01-13 International Business Machines Corporation Method and system for executing a program under one of a plurality of mutually exclusive operating environments
US5995103A (en) 1996-05-10 1999-11-30 Apple Computer, Inc. Window grouping mechanism for creating, manipulating and displaying windows and window groups on a display screen of a computer system
US6351816B1 (en) 1996-05-30 2002-02-26 Sun Microsystems, Inc. System and method for securing a program's execution in a network environment
US6804780B1 (en) 1996-11-08 2004-10-12 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6581162B1 (en) 1996-12-31 2003-06-17 Compaq Information Technologies Group, L.P. Method for securely creating, storing and using encryption keys in a computer system
US6658573B1 (en) 1997-01-17 2003-12-02 International Business Machines Corporation Protecting resources in a distributed computer system
US6285987B1 (en) 1997-01-22 2001-09-04 Engage, Inc. Internet advertising system
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US6167522A (en) 1997-04-01 2000-12-26 Sun Microsystems, Inc. Method and apparatus for providing security for servers executing application programs received via a network
US6480198B2 (en) 1997-06-27 2002-11-12 S3 Graphics Co., Ltd. Multi-function controller and method for a computer graphics display system
US6401134B1 (en) 1997-07-25 2002-06-04 Sun Microsystems, Inc. Detachable java applets
US5978917A (en) 1997-08-14 1999-11-02 Symantec Corporation Detection and elimination of macro viruses
US6275938B1 (en) 1997-08-28 2001-08-14 Microsoft Corporation Security enhancement for untrusted executable code
US6199181B1 (en) * 1997-09-09 2001-03-06 Perfecto Technologies Ltd. Method and system for maintaining restricted operating environments for application programs or operating systems
US6321337B1 (en) 1997-09-09 2001-11-20 Sanctum Ltd. Method and system for protecting operations of trusted internal networks
US6996828B1 (en) * 1997-09-12 2006-02-07 Hitachi, Ltd. Multi-OS configuration method
US6091412A (en) 1997-09-30 2000-07-18 The United States Of America As Represented By The Secretary Of The Navy Universal client device permitting a computer to receive and display information from several special applications
US6134661A (en) 1998-02-11 2000-10-17 Topp; William C. Computer network security device and method
US6397242B1 (en) 1998-05-15 2002-05-28 Vmware, Inc. Virtualization system including a virtual machine monitor for a computer with a segmented architecture
US6990630B2 (en) 1998-05-15 2006-01-24 Unicast Communications Corporation Technique for implementing browser-initiated user-transparent network-distributed advertising and for interstitially displaying an advertisement, so distributed, through a web browser in response to a user click-stream
US6216112B1 (en) 1998-05-27 2001-04-10 William H. Fuller Method for software distribution and compensation with replenishable advertisements
US6505300B2 (en) 1998-06-12 2003-01-07 Microsoft Corporation Method and system for secure running of untrusted content
US6433794B1 (en) 1998-07-31 2002-08-13 International Business Machines Corporation Method and apparatus for selecting a java virtual machine for use with a browser
US6836885B1 (en) 1998-09-21 2004-12-28 Wyse Technology Inc. Method and apparatus for display of windowing application programs on a terminal
US6691230B1 (en) 1998-10-15 2004-02-10 International Business Machines Corporation Method and system for extending Java applets sand box with public client storage
US6385721B1 (en) * 1999-01-22 2002-05-07 Hewlett-Packard Company Computer with bootable hibernation partition
US6438600B1 (en) 1999-01-29 2002-08-20 International Business Machines Corporation Securely sharing log-in credentials among trusted browser-based applications
US6192477B1 (en) * 1999-02-02 2001-02-20 Dagg Llc Methods, software, and apparatus for secure communication over a computer network
US6492995B1 (en) 1999-04-26 2002-12-10 International Business Machines Corporation Method and system for enabling localization support on web applications
US6507948B1 (en) 1999-09-02 2003-01-14 International Business Machines Corporation Method, system, and program for generating batch files
US6871348B1 (en) * 1999-09-15 2005-03-22 Intel Corporation Method and apparatus for integrating the user interfaces of multiple applications into one application
US7181768B1 (en) 1999-10-28 2007-02-20 Cigital Computer intrusion detection system and method based on application monitoring
US20040054588A1 (en) 1999-12-08 2004-03-18 Jacobs Paul E. E-mail software and method and system for distributing advertisements to client devices that have such e-mail software installed thereon
US6735700B1 (en) 2000-01-11 2004-05-11 Network Associates Technology, Inc. Fast virus scanning using session stamping
US6546554B1 (en) 2000-01-21 2003-04-08 Sun Microsystems, Inc. Browser-independent and automatic apparatus and method for receiving, installing and launching applications from a browser on a client computer
US7246374B1 (en) 2000-03-13 2007-07-17 Microsoft Corporation Enhancing computer system security via multiple user desktops
US20020066016A1 (en) 2000-03-15 2002-05-30 International Business Machines Corporation Access control for computers
US7085928B1 (en) 2000-03-31 2006-08-01 Cigital System and method for defending against malicious software
US6633963B1 (en) 2000-03-31 2003-10-14 Intel Corporation Controlling access to multiple memory zones in an isolated execution environment
US7013484B1 (en) * 2000-03-31 2006-03-14 Intel Corporation Managing a secure environment using a chipset in isolated execution mode
US6754815B1 (en) * 2000-03-31 2004-06-22 Intel Corporation Method and system for scrubbing an isolated area of memory after reset of a processor operating in isolated execution mode if a cleanup flag is set
US6507904B1 (en) 2000-03-31 2003-01-14 Intel Corporation Executing isolated mode instructions in a secure system running in privilege rings
US6678825B1 (en) 2000-03-31 2004-01-13 Intel Corporation Controlling access to multiple isolated memories in an isolated execution environment
US6553377B1 (en) 2000-03-31 2003-04-22 Network Associates, Inc. System and process for maintaining a plurality of remote security applications using a modular framework in a distributed computing environment
US7082615B1 (en) * 2000-03-31 2006-07-25 Intel Corporation Protecting software environment in isolated execution
US6578140B1 (en) * 2000-04-13 2003-06-10 Claude M Policard Personal computer having a master computer system and an internet computer system and monitoring a condition of said master and internet computer systems
US7577871B2 (en) 2000-05-19 2009-08-18 Vir2Us, Inc. Computer system and method having isolatable storage for enhanced immunity to viral and malicious code infection
US6880110B2 (en) 2000-05-19 2005-04-12 Self Repairing Computers, Inc. Self-repairing computer having protected software template and isolated trusted computing environment for automated recovery from virus and hacker attack
US20040034794A1 (en) 2000-05-28 2004-02-19 Yaron Mayer System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US7039801B2 (en) * 2000-06-30 2006-05-02 Microsoft Corporation System and method for integrating secure and non-secure software objects
US7650493B2 (en) * 2000-06-30 2010-01-19 Microsoft Corporation System and method for integrating secure and non-secure software objects
US20020002673A1 (en) * 2000-06-30 2002-01-03 Microsoft Corporation System and method for integrating secure and non-secure software objects
US20030177397A1 (en) 2000-08-31 2003-09-18 Ben Samman Virus protection in an internet environment
US7146305B2 (en) * 2000-10-24 2006-12-05 Vcis, Inc. Analytical virtual machine
US20020052809A1 (en) * 2000-11-02 2002-05-02 Orell Fussli Security Documents Ag Method for verifying the authenticity of articles
US6756236B2 (en) 2000-12-05 2004-06-29 Sony International (Europe) Gmbh Method of producing a ferroelectric memory and a memory device
US7818808B1 (en) * 2000-12-27 2010-10-19 Intel Corporation Processor mode for limiting the operation of guest software running on a virtual machine supported by a virtual machine monitor
US7284274B1 (en) 2001-01-18 2007-10-16 Cigital, Inc. System and method for identifying and eliminating vulnerabilities in computer software applications
US6757685B2 (en) 2001-02-19 2004-06-29 Hewlett-Packard Development Company, L.P. Process for executing a downloadable service receiving restrictive access rights to at least one profile file
US20020174349A1 (en) 2001-05-15 2002-11-21 Wolff Daniel Joseph Detecting malicious alteration of stored computer files
US7096381B2 (en) 2001-05-21 2006-08-22 Self Repairing Computer, Inc. On-the-fly repair of a computer
US7444412B2 (en) 2001-06-08 2008-10-28 Hewlett-Packard Development Company, L.P. Data processing system and method
US7062672B2 (en) 2001-06-08 2006-06-13 Hewlett-Packard Development Company, L.P. Method of and computer network arrangement for restoring an impaired software image
US7657419B2 (en) * 2001-06-19 2010-02-02 International Business Machines Corporation Analytical virtual machine
US6873988B2 (en) 2001-07-06 2005-03-29 Check Point Software Technologies, Inc. System and methods providing anti-virus cooperative enforcement
US20030023857A1 (en) 2001-07-26 2003-01-30 Hinchliffe Alexander James Malware infection suppression
US20030131152A1 (en) 2001-09-20 2003-07-10 Ulfar Erlingsson Altered states of software component behavior
US7024555B2 (en) * 2001-11-01 2006-04-04 Intel Corporation Apparatus and method for unilaterally loading a secure operating system within a multiprocessor environment
US20030097591A1 (en) 2001-11-20 2003-05-22 Khai Pham System and method for protecting computer users from web sites hosting computer viruses
US6772345B1 (en) 2002-02-08 2004-08-03 Networks Associates Technology, Inc. Protocol-level malware scanner
US20030221114A1 (en) * 2002-03-08 2003-11-27 International Business Machines Corporation Authentication system and method
US7676842B2 (en) 2002-04-13 2010-03-09 Computer Associates Think, Inc. System and method for detecting malicious code
US7139890B2 (en) 2002-04-30 2006-11-21 Intel Corporation Methods and arrangements to interface memory
US7191469B2 (en) 2002-05-13 2007-03-13 Green Border Technologies Methods and systems for providing a secure application environment using derived user accounts
US20040006706A1 (en) * 2002-06-06 2004-01-08 Ulfar Erlingsson Methods and systems for implementing a secure application execution environment using derived user accounts for internet content
US20040006715A1 (en) 2002-07-05 2004-01-08 Skrepetos Nicholas C. System and method for providing security to a remote computer over a network browser interface
US20040039944A1 (en) * 2002-07-08 2004-02-26 Teiji Karasaki System and method for secure wall
US7260839B2 (en) * 2002-07-08 2007-08-21 Hitachi, Ltd. System and method for secure wall
US6663000B1 (en) 2002-08-01 2003-12-16 Networks Associates Technology, Inc. Validating components of a malware scanner
US7146640B2 (en) * 2002-09-05 2006-12-05 Exobox Technologies Corp. Personal computer internet security system
US7024581B1 (en) * 2002-10-09 2006-04-04 Xpoint Technologies, Inc. Data processing recovery system and method spanning multiple operating system
US7849310B2 (en) * 2002-11-18 2010-12-07 Arm Limited Switching between secure and non-secure processing modes
US20040199763A1 (en) 2003-04-01 2004-10-07 Zone Labs, Inc. Security System with Methodology for Interprocess Communication Control
US20040267929A1 (en) * 2003-06-27 2004-12-30 Servgate Technologies, Inc Method, system and computer program products for adaptive web-site access blocking
US7367057B2 (en) * 2003-06-30 2008-04-29 Intel Corporation Processor based system and method for virus detection
US20050005153A1 (en) * 2003-06-30 2005-01-06 Kaustubh Das Processor based system and method for virus detection
US7694328B2 (en) 2003-10-21 2010-04-06 Google Inc. Systems and methods for secure client applications
US20050149726A1 (en) * 2003-10-21 2005-07-07 Amit Joshi Systems and methods for secure client applications
US7730318B2 (en) * 2003-10-24 2010-06-01 Microsoft Corporation Integration of high-assurance features into an application through application factoring
US7421689B2 (en) 2003-10-28 2008-09-02 Hewlett-Packard Development Company, L.P. Processor-architecture for facilitating a virtual machine monitor
US20050198692A1 (en) * 2004-03-02 2005-09-08 International Business Machines Corporation System and method of protecting a computing system from harmful active content in documents
US7596694B1 (en) 2004-03-08 2009-09-29 Hewlett-Packard Development Company, L.P. System and method for safely executing downloaded code on a computer system
US7401230B2 (en) 2004-03-31 2008-07-15 Intel Corporation Secure virtual machine monitor to tear down a secure execution environment
US20050240810A1 (en) 2004-04-06 2005-10-27 Safford Kevin D Off-chip lockstep checking
US7373505B2 (en) 2004-04-15 2008-05-13 Microsoft Corporation Displaying a security element with a browser window
US7565522B2 (en) 2004-05-10 2009-07-21 Intel Corporation Methods and apparatus for integrity measurement of virtual machine monitor and operating system via secure launch
US20060004667A1 (en) 2004-06-30 2006-01-05 Microsoft Corporation Systems and methods for collecting operating system license revenue using an emulated computing environment
US7484247B2 (en) * 2004-08-07 2009-01-27 Allen F Rozman System and method for protecting a computer system from malicious software
US7854008B1 (en) * 2007-08-10 2010-12-14 Fortinet, Inc. Software-hardware partitioning in a virus processing system

Non-Patent Citations (45)

* Cited by examiner, † Cited by third party
Title
Anupam, V., et al., "Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies." 7th Usenix Security Symposium San Antonio, Texas, Jan. 26-29, 1998.
Balfanz, D. et al., "WindowBox: A Simple Security Model for the Connected Desktop," Microsoft Research, US-2000.
Barham, P., et al., "Xen and the Art of Virtualization," SOSP'03, Oct. 19-22, 2003, Bolton Landing, New York, USA.
Berman, A., et al., "TRON: Process-Specific File Protection for the Unix Operating System," Department of Computer Science and Engineering, University of Washington, Jan. 23, 1995.
Chang, F. et al., "User-level Resource-constrained Sandboxing," Usenix Windows System Symposium, Aug. 2000.
Chen, P.M., et al., "When Virtual Is Better Than Real," Department of Electrical Engineering and Computer Science University of Michigan, US-2001.
Dan, A., et al., "A Sandbox Operating System Environment for Controlled Execution of Alien Code." RC 20742 (Feb. 20, 1997) Computer Science IBM Research Report.
De Paoli, F., et al., "Vulnerability of Secure Web Browsers." Reliable Software Group Computer Science Department, University of California, Santa Barbara, 1997.
Dean, D., et al., "Java Security: From HotJava to Netscape and Beyond," 1996 IEEE Symposium on Security and Privacy, Oakland, CA, May 6-8, 1996.
Delpha, L., et al., White Paper: "Smart Phone Security Issues," Cyber Risk Consulting, Blackhat Briefings Europe May 2004.
Dunlap, G.W., et al.M "ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay," Proceedings of the the US-2002 Symposium on Operating Systems Design and Implementation (OSDI).
Garfinkel T., et al., "A Virtual Machine Introspection Based Architecture for Intrusion Detection," Computer Science Department, Stanford University US-2003.
Garfinkel, T., et al., "Terra: A Virtual Machine-Based Platform for Trusted Computing," SOSP'03, Oct. 19-22, 2003, Bolton Landing, New York, USA.
Ghosh, A.K., et al, "Software Security And Privacy Risks In Mobile E-Commerce," Communications of the ACM Feb. 2001 vol. 44, No. 2.
Goldberg, I., et al., "A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker)," Computer Science Division, University of California, Berkeley, Sixth Usenix Unix Security Symposium San Jose, California, Jul. 1996.
Goldberg, R.P., "Architecture of Virtual Macines" Honeywell Information Systems, Inc. and Harvard University; Presented at the AFIPS National Computer Conference, New York, New York, Jun. 4-8, 1973.
Harty, K., et al., "Application-Controlled Physical Memory using External Page-Cache Management," Computer Science Department, Stanford University, 1992.
Honeycutt, J., Microsoft® Virtual PC US-2004 Technical Overview, Published Nov. US-2003 http://download.microsoft.com/download/c/f/b/cfb1 OOa7-463d-4b86-ad62-064397178bfNirtual-PC-Technical-Overview.doc.
Ioannidis, S., et al., "Building a Secure Web Browser," US-2001 Usenix Annual Technical Conference Boston, Massachusetts, USA Jun. 25-30, 2001.
Ioannidis, S., et al., "Sub-Operating Systems: A New Approach to Application Security," Technical Report MS-CIS-01-06, University of Pennsylvania, Feb. 2000.
J2ME Building Blocks for Mobile Devices: White Paper on KVM and the Connected, Limited Device Configuration. Sun Microsystems May 19, 2000.
Jacob, B., et al., "Virtual Memory in Contemporary Microprocessors." IEEE Micro Jul.-Aug. 1998.
Jaeger, T., et al. "Flexible Control of Downloaded Executable Content." ACM Transactions on Information and System Security, vol. 2, No. 2, May 1999, pp. 177-228.
Jaeger, T., et al., "Building systems that flexibly control downloaded executable content." In Proceedings of the 1996 Usenix Security Symposium, pp. 131-148, San Jose, Ca., 1996.
Jaeger, T., et al., "Building Systems that Flexibly Control Downloaded Executable Context," Sixth Usenix Unix Security Symposium San Jose, California, Jul. 1996.
Mehta, N.V., et al., "Expanding and Extending the Security Features of Java," Proceedings of the 7th Usenix Security Symposium, San Antonio, Texas, Jan. 26-29, 1998.
Peterson, D., et al., "A Flexible Containment Mechanism for Executing Untrusted Code," Usenix Security Symposium San Francisco, California, USA Aug. 5-9, 2002.
Potter, S., et al., "Secure Isolation and Migration of Untrusted Legacy Applications," Columbia University Technical Report Cucs-005-04, Jan. 2004.
Razmov, V., "Security in Untrusted Code Environments: Missing Pieces of the Puzzle," Dept. of Computer Science and Engineering, University of Washington, Mar. 30, 2002.
Rose, R., "Survey of System Virtualization Techniques," Mar. 8, 2004.
Schmid, M., et al., "Protecting Data from Malicious Software," Annual Computer Security Applications Conference (ACSAC'02), Las Vegas, NV, Dec. 2002.
Shapiro, J. et al., "Design of the EROS Trusted Window System".
Shapiro, J., et al., "Verifying the EROS Confinement Mechanism," IBM T.J. Watson Research Center, 0-7695-0665-8/00, US-2000 IEEE.
Stang, D. PhD, "Beyond Viruses: Why Anti-Virus Software is No Longer Enough," Pest Patrol, US-2002.
Stiegler, M. et al., Report Name: "A Capability Based Client: The Darpa Browser", Combex/Focused Research Topic 5/BAA-00-06-SNK, Nov. 18, 2002.
Sugerman, J., et al., "Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor,".
The Web: Threat or Menace? from "Firewalls and Internet Security: Repelling the Wiley Hacker", Second Edition, Addison-Wesley, ISBN 0-201-63466-X, US-2003.
Townsend, K., "Spyware, Adware, and Peer to Peer Networks; The Hidden Threat to Corporate Security".
Usenix Annual Technical Conference Boston, Massachusetts, USA Jun. 25-30, 2001.
Wagner, D.A., "Janus: an approach for confinement of untrusted applications," Master's thesis, University of California, Berkeley, 1999.. Also available, Technical Report CSD-99-1056, UC Berkeley, Computer Science Division. http://INVvW.cs-berkeley.edu/-daw/papers/janus-masters.ps.
Wahabe, R., et al., "Efficient Software-Based Fault Isolation," Computer Science Division University of California, Berkeley, SIGOPS 1993.
West, R., et al., "User-Level Sandboxing: a Safe and Efficient Mechanism for Extensibility", Technical Report, US-2003-014, Boston University, Jun. 2003.
Ye, Z., et al., "Trusted Paths for Browsers: An Open-Source Solution to Web Spoofing," Technical Report TRUS-2002-418 Feb. 4, 2002.
Yee, K-P., "User Interaction Design for Secure Systems," Proceedings of the 4th International Conference on Information and Communications Security table of contents pp. 278-290, US-2002.
Young, M., et al., "The Duality of Memory and Communication in the Implementation of a Multiprocessor Operating System," Computer Science Department Carnegie-Mellon University Proceedings of the 11th Operating Systems Principles, Nov. 1987.

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130347114A1 (en) * 2012-04-30 2013-12-26 Verint Systems Ltd. System and method for malware detection
US10061922B2 (en) * 2012-04-30 2018-08-28 Verint Systems Ltd. System and method for malware detection
US11316878B2 (en) 2012-04-30 2022-04-26 Cognyte Technologies Israel Ltd. System and method for malware detection
US10198427B2 (en) 2013-01-29 2019-02-05 Verint Systems Ltd. System and method for keyword spotting using representative dictionary
US9923913B2 (en) 2013-06-04 2018-03-20 Verint Systems Ltd. System and method for malware detection learning
US11038907B2 (en) 2013-06-04 2021-06-15 Verint Systems Ltd. System and method for malware detection learning
US10630588B2 (en) 2014-07-24 2020-04-21 Verint Systems Ltd. System and method for range matching
US11463360B2 (en) 2014-07-24 2022-10-04 Cognyte Technologies Israel Ltd. System and method for range matching
US10560842B2 (en) 2015-01-28 2020-02-11 Verint Systems Ltd. System and method for combined network-side and off-air monitoring of wireless networks
US11432139B2 (en) 2015-01-28 2022-08-30 Cognyte Technologies Israel Ltd. System and method for combined network-side and off-air monitoring of wireless networks
US10142426B2 (en) 2015-03-29 2018-11-27 Verint Systems Ltd. System and method for identifying communication session participants based on traffic patterns
US10623503B2 (en) 2015-03-29 2020-04-14 Verint Systems Ltd. System and method for identifying communication session participants based on traffic patterns
US10546008B2 (en) 2015-10-22 2020-01-28 Verint Systems Ltd. System and method for maintaining a dynamic dictionary
US11386135B2 (en) 2015-10-22 2022-07-12 Cognyte Technologies Israel Ltd. System and method for maintaining a dynamic dictionary
US11093534B2 (en) 2015-10-22 2021-08-17 Verint Systems Ltd. System and method for keyword searching using both static and dynamic dictionaries
US10614107B2 (en) 2015-10-22 2020-04-07 Verint Systems Ltd. System and method for keyword searching using both static and dynamic dictionaries
US11381977B2 (en) 2016-04-25 2022-07-05 Cognyte Technologies Israel Ltd. System and method for decrypting communication exchanged on a wireless local area network
US10944763B2 (en) 2016-10-10 2021-03-09 Verint Systems, Ltd. System and method for generating data sets for learning to identify user actions
US10491609B2 (en) 2016-10-10 2019-11-26 Verint Systems Ltd. System and method for generating data sets for learning to identify user actions
US11303652B2 (en) 2016-10-10 2022-04-12 Cognyte Technologies Israel Ltd System and method for generating data sets for learning to identify user actions
US11336738B2 (en) 2017-04-30 2022-05-17 Cognyte Technologies Israel Ltd. System and method for tracking users of computer applications
US11095736B2 (en) 2017-04-30 2021-08-17 Verint Systems Ltd. System and method for tracking users of computer applications
US10972558B2 (en) 2017-04-30 2021-04-06 Verint Systems Ltd. System and method for tracking users of computer applications
US11575625B2 (en) 2017-04-30 2023-02-07 Cognyte Technologies Israel Ltd. System and method for identifying relationships between users of computer applications
US11336609B2 (en) 2018-01-01 2022-05-17 Cognyte Technologies Israel Ltd. System and method for identifying pairs of related application users
US10958613B2 (en) 2018-01-01 2021-03-23 Verint Systems Ltd. System and method for identifying pairs of related application users
US11403559B2 (en) 2018-08-05 2022-08-02 Cognyte Technologies Israel Ltd. System and method for using a user-action log to learn to classify encrypted traffic
US10999295B2 (en) 2019-03-20 2021-05-04 Verint Systems Ltd. System and method for de-anonymizing actions and messages on networks
US11444956B2 (en) 2019-03-20 2022-09-13 Cognyte Technologies Israel Ltd. System and method for de-anonymizing actions and messages on networks
US11399016B2 (en) 2019-11-03 2022-07-26 Cognyte Technologies Israel Ltd. System and method for identifying exchanges of encrypted communication traffic

Also Published As

Publication number Publication date
USRE43529E1 (en) 2012-07-17
USRE43528E1 (en) 2012-07-17
US7484247B2 (en) 2009-01-27
USRE43500E1 (en) 2012-07-03
US20060031940A1 (en) 2006-02-09
USRE43103E1 (en) 2012-01-10

Similar Documents

Publication Publication Date Title
USRE43987E1 (en) System and method for protecting a computer system from malicious software
US11604861B2 (en) Systems and methods for providing real time security and access monitoring of a removable media device
AU2014393471B2 (en) Systems and methods for using a reputation indicator to facilitate malware scanning
US9213836B2 (en) System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages
US20040034794A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US20030159070A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US7665139B1 (en) Method and apparatus to detect and prevent malicious changes to tokens
GB2411988A (en) Preventing programs from accessing communication channels withut user permission
US20070240212A1 (en) System and Methodology Protecting Against Key Logger Spyware
WO2019222261A1 (en) Cloud based just in time memory analysis for malware detection
US8171552B1 (en) Simultaneous execution of multiple anti-virus programs
US9219728B1 (en) Systems and methods for protecting services
US9602538B1 (en) Network security policy enforcement integrated with DNS server
GB2404262A (en) Protection for computers against malicious programs using a security system which performs automatic segregation of programs
Iglio Trustedbox: a kernel-level integrity checker
Martsenyuk et al. Features of multifunctional Backdoor technology in the personal space of users.
CA2471505A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
GB2411747A (en) Remotely checking the functioning of computer security systems
CA2424144A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
WO2002084939A1 (en) System and method for securely executing a executable to preserve the integrity of files from unauthorized access for network security
Kunle et al. Current Survey of Computer Malwares Infestation and Inhibition
AU2007201692A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages

Legal Events

Date Code Title Description
AS Assignment

Owner name: CIOFFI, ALFONSO, TEXAS

Free format text: LETTERS OF TESTAMENTARY;ASSIGNOR:ROZMAN, ALLEN FRANK;REEL/FRAME:034499/0346

Effective date: 20121029

AS Assignment

Owner name: ROZMAN, MEGAN ELIZABETH, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CIOFFI, ALFONSO;REEL/FRAME:034385/0958

Effective date: 20141114

Owner name: ROZMAN, MORGAN LEE, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CIOFFI, ALFONSO;REEL/FRAME:034385/0958

Effective date: 20141114

Owner name: ROZMAN, MELANIE ANN, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CIOFFI, ALFONSO;REEL/FRAME:034385/0958

Effective date: 20141114

REMI Maintenance fee reminder mailed
FPAY Fee payment

Year of fee payment: 8

SULP Surcharge for late payment

Year of fee payment: 7

AS Assignment

Owner name: ROZMAN, MEGAN ELIZABETH, TEXAS

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE CONVEYING PARTY DATA TO READ ALLEN FRANK ROZMAN (DECEASED) REPRESENTED BY ALFONSO CIOFFI (EXECUTOR OF ESTATE) PREVIOUSLY RECORDED ON REEL 034385 FRAME 0958. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:ALLEN FRANK ROZMAN (DECEASED) REPRESENTED BY ALFONSO CIOFFI (EXECUTOR OF ESTATE);REEL/FRAME:052994/0740

Effective date: 20141114

Owner name: ROZMAN, MELANIE ANN, TEXAS

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE CONVEYING PARTY DATA TO READ ALLEN FRANK ROZMAN (DECEASED) REPRESENTED BY ALFONSO CIOFFI (EXECUTOR OF ESTATE) PREVIOUSLY RECORDED ON REEL 034385 FRAME 0958. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:ALLEN FRANK ROZMAN (DECEASED) REPRESENTED BY ALFONSO CIOFFI (EXECUTOR OF ESTATE);REEL/FRAME:052994/0740

Effective date: 20141114

Owner name: ROZMAN, MORGAN LEE, TEXAS

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE CONVEYING PARTY DATA TO READ ALLEN FRANK ROZMAN (DECEASED) REPRESENTED BY ALFONSO CIOFFI (EXECUTOR OF ESTATE) PREVIOUSLY RECORDED ON REEL 034385 FRAME 0958. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:ALLEN FRANK ROZMAN (DECEASED) REPRESENTED BY ALFONSO CIOFFI (EXECUTOR OF ESTATE);REEL/FRAME:052994/0740

Effective date: 20141114

FEPP Fee payment procedure

Free format text: 11.5 YR SURCHARGE- LATE PMT W/IN 6 MO, SMALL ENTITY (ORIGINAL EVENT CODE: M2556); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2553); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 12