TREA

Connectivity-based authorization

Follow

Information

  • Patent Grant
  • 8555404
  • Patent Number
    8,555,404
  • Date Filed
    Thursday, May 18, 2006
    18 years ago
  • Date Issued
    Tuesday, October 8, 2013
    11 years ago
Information
Abstract
Techniques which allow definition and enforcement of connectivity-based action and execution authorization policies. On a computer, an action or execution attempt is intercepted in real-time. The connectivity state of the computer, the subject process, the program file of the subject process, the attempted action and the object of the attempted action are determined. An authorization policy considering the connectivity state indicates whether the attempted action is authorized or not. In a tracking mode, the attempted action and its authorization are logged and the attempted action is allowed to proceed. In an enforcement mode, unauthorized attempts are blocked and logged, thereby enforcing the authorization policy.
Description
CROSS REFERENCE TO RELATED APPLICATIONS

This application is related to the following, all of which are incorporated herein by reference in their entirety:


co-pending U.S. patent application Ser. No. 10/651,591, entitled “Method and System for Containment of Networked Application Client Software by Explicit Human Input” and filed on Aug. 29, 2003;


U.S. Pat. No. 7,464,408, issued on Dec. 9, 2008, from U.S. patent application Ser. No. 10/651,588, entitled “Damage Containment by Translation” and filed on Aug. 29, 2003;


U.S. Pat. No. 7,783,735, issued on Aug. 24, 2010, from U.S. patent application Ser. No. 10/806,578, entitled “Containment of Network Communication” and filed on Mar. 22, 2004;


U.S. Pat. No. 7,840,968, issued on Nov. 23, 2010, from U.S. patent application Ser. No. 10/739,230, entitled “Method and System for Containment of Usage of Language Interfaces” and filed on Dec. 17, 2003;


U.S. Pat. No. 7,873,955, issued on Jan. 18, 2011 from U.S. patent application Ser. No. 10/935,772, entitled “Solidifying the Executable Software Set of a Computer” and filed on Sep. 7, 2004;


U.S. patent application Ser. No. 11/060,683, entitled “Distribution and Installation of Solidified Software on a Computer” and filed on Feb. 16, 2005;


U.S. Pat. No. 7,603,552, issued on Oct. 13, 2009 from U.S. patent application Ser. No. 11/122,872, entitled “Piracy Prevention Using Unique Module Translation” and filed on May 4, 2005;


U.S. Pat. No. 7,856,661, issued on Dec. 21, 2010 from U.S. patent application Ser. No. 11/182,320, entitled “Classification of Software on Networked Systems” and filed on Jul. 14, 2005;


U.S. Pat. No. 7,757,269, issued on Jul. 13, 2010, from U.S. patent application Ser. No. 11/346,741, entitled “Enforcing Alignment of Approved Changes and Deployed Changes in the Software Change Life-Cycle”, by Rahul Roy-Chowdhury, E. John Sebes and Jay Vaishnav, filed on Feb. 2, 2006;


U.S. Pat. No. 7,895,573, issued on Feb. 22, 2011 from U.S. patent application Ser. No. 11/277,596, entitled “Execution Environment File Inventory”, by Rishi Bhargava and E. John Sebes, filed on Mar. 27, 2006; and


U.S. Pat. No. 7,870,387, issued on Jan. 11, 2011, from U.S. patent application Ser. No. 11/400,085, entitled “Program-Based Authorization”, by Rishi Bhargava and E. John Sebes, filed on Apr. 7, 2006.


BACKGROUND

1. Field


Invention relates generally to authorization of actions on computer systems, and in particular to authorization based on connectivity states.


2. Related Art


Access control is a useful and practical concept in the field of information technology. The definition, monitoring and enforcement of access control policies contribute to the predictable and manageable operation and maintenance of business assets and processes.


An abstraction central to access control is that of subjects performing actions on objects. Actions, including those attempted by human subjects, are ultimately performed by one or more processes running on the computer. While traditional access control techniques use authorization policies that are generally defined for “human” subjects, and additional techniques that allow program-based authorization are disclosed in above referenced U.S. Pat. No. 7,870,387, there is also a need for authorizations that take into account the connectivity state of a computer.


SUMMARY

We disclose techniques which allow definition and enforcement of connectivity-based action and execution authorization policies. On a computer, an action or execution attempt is intercepted in real-time. The connectivity state of the computer, the subject process, the program file of the subject process, the attempted action and the object of the attempted action are determined. An authorization policy considering the connectivity state indicates whether the attempted action is authorized or not. In a tracking mode, the attempted action and its authorization are logged and the attempted action is allowed to proceed. In an enforcement mode, unauthorized attempts are blocked and logged, thereby enforcing the authorization policy.





BRIEF DESCRIPTION OF DRAWINGS


FIG. 1 is a diagrammatic illustration of an exemplary system for connectivity-based authorization, in accordance with an embodiment of the present invention.



FIG. 2 is a flow diagram showing a method for connectivity-based action authorization, according to an embodiment of the present invention.



FIG. 3 is a flow diagram showing a method for connectivity-based execution authorization, according to an embodiment of the present invention.





DETAILED DESCRIPTION

In the connectivity-based authorization techniques described herein, a process' attempt to perform an action on an object is intercepted. The state of connectivity, along with other things such as the subject program, the object, and the attempted action, are then determined. By way of example, the interception and subsequent determinations can be performed by a software agent running on the computer. Referring to an authorization policy which considers the connectivity and other determined attributes, a decision is made to either allow or block the attempted action. In both cases, it may be desirable to generate a log or alert indicative of the decision.



FIG. 1 is a diagrammatic illustration of an exemplary system for connectivity-based authorization, in accordance with an embodiment of the present invention. Computer 101 comprises a memory component 102 and a storage component 103, managed by an operating system (OS). Computer 101 is connectable to one or more networks 110 over wired (such as Ethernet or ATM) or wireless links (such as 802.11).


During the operation of computer 101, processes are launched to perform various actions in accordance with the operation of computer 101. Specifically, when a process 104 (hereinafter also referred to as “subject process”) is launched, it executes within memory component 102. A program file 105 (hereinafter also referred to as “subject program file”) represents the code or sequence of instructions which subject process 104 starts executing upon its launch. The subject program file 105 is typically some type of an executable file, such as a binary executable file, script, batch file, interpreted code, byte code, etc. Program file 105 is stored on storage component 103 or is otherwise accessible to computer 101. Note that subject process 104, during its life, may execute other code or instructions such as dynamic libraries, scripts, accepted input, or any other container of code, but the program file 105 refers to the code that subject process 104 starts out executing upon process launch. Furthermore, as described in more detail below, when subject process 104 is launched to execute a script, the program file 105 refers to the script and not to any interpreter of the script.


At some point during its execution, subject process 104 may attempt to perform an action on an object 106. For example, object 106 may be a file and the action attempt may comprise an attempt to write to the file. Other examples of objects 106 and actions are described below.


Using techniques described herein, the action attempt of subject process 104 is intercepted and an authorization policy is consulted. The authorization policy takes into account the state of the connectivity state of computer 101, and preferably also considers one or more other parameters such as the subject process 104, the subject program file 105, the object 106, and the action being attempted by subject process 104. The authorization policy indicates whether the attempted action is authorized or not.


There are two broad modes of operation for the connectivity-based authorizations of the present invention: a “tracking mode” and an “enforcement mode”. Both modes allow authorized attempts to proceed, but the modes differ in how they handle unauthorized attempts. In an enforcement mode, unauthorized attempts are blocked. In a tracking mode, unauthorized attempts are allowed to proceed, but they are logged. Tracking mode is useful for examining what effects an authorization policy would have on a system were the policy to be enforced. Tracking mode allows experimentation with and fine-tuning of authorization policies on a live computer 101, as well as real-time feedback based thereon, without disturbing the operation or behavior of the computer 101. Once an authorization policy is deemed acceptable, it can be enforced by switching from tracking mode to enforcement mode.


A typical example of an object 106 is a file, managed by a file system of computer 101. In that case the action attempt is a file system action attempt such as a read, write or delete operation on the file, or it may be an attempt to execute the file. Another example of an object 106 is a registry entry, such as one managed by a Windows™ operating system. In that case the action attempt may be a retrieve, create or delete a registry entry. Other examples of objects 106 include containers or resources managed by a service-oriented architecture (SOA), data structures or other objects stored in memory 102, or any other objects that are accessible to subject process 104. In general, the actions that can be attempted by the subject process 104 depend on the object 106 and how the object is being managed. While the following description is illustrated mainly with reference to file system action attempts, this is by way of example and is not intended to limit the scope of the disclosed techniques. It should be obvious to one of ordinary skill in the art that the disclosed techniques can be applied to connectivity-based authorization of any action attempted by a subject process on a computer. Further example actions for files and registry entries are enumerated below.


Connectivity-Based Action Authorization



FIG. 2 is a flow diagram showing a method for connectivity-based action authorization, according to an embodiment of the present invention. Step 201 intercepts a file system action attempt. This step preferably occurs in real-time. Step 202 determines the network connectivity of computer 101.


Before consulting a connectivity-based authorization policy, step 203 preferably also determines one or more other parameters relevant to an authorization of the attempted action, such as the target file (object 106) of the file system action attempt, the subject process 104 and the subject program file 105, and the action that is being attempted by subject process 104 on object 106. Step 203 optionally also determines one or more other attributes of the above parameters, examples of which are enumerated below.


Step 204 consults an authorization policy in order to determine 205 whether the attempted action is authorized or not. The authorization policy takes into account the connectivity determined in step 202, and preferably also takes into account one or more other parameters or attributes determined in step 203. Optionally, the authorization policy may disregard some of the determined information. For example, the authorization policy may disregard some or all of the file object 106 attributes and consider only the connectivity of computer 101 and the attempted action. Authorization policies may be stored using any appropriate data structure, for example in a computer readable medium comprising a table with a plurality of entries, with an entry associating a connectivity state with one or more allowed actions and subject programs and objects on the computer.


Next, if the action is authorized, step 206 allows the action to proceed and optional step 207 generates one or more log entries and/or alerts indicating that the authorized action was allowed to proceed. If the action is not authorized, step 208 blocks the action from proceeding and optional step 209 generates one or more log entries and/or alerts indicating that the unauthorized action was blocked. A log entry or alert may include information about the connectivity, the subject process 104, the subject program 105, the action, the object 106, relevant authorization policy, date and time, and/or any other information relevant to the authorization decision and available at the time of logging. Steps 208 and 209 are for an enforcement mode embodiment of the present invention. In a tracking mode embodiment, as described above, step 208 is skipped, allowing the unauthorized action to proceed and recording logs and/or alerts at step 209.


Example attributes of the subject process 104, action and object 106 are described in the above-referenced U.S. Pat. No. 7,870,387. Example attributes of the connectivity include the following:

    • Network to which computer 101 is connected. A network is broadly defined as any set of nodes (such as computers, routers, switches, etc.) that can communicate with each other using some protocol. There may be more than one network to which computer 101 is connected at any given time, and such a set of connected networks may dynamically change over time as connected networks are disconnected and new connections are established.
    • For a network to which computer 101 is connected or connectable, attributes such as:
      • whether the network is wired or wireless;
      • a network identifier, such as a Media Access Control (MAC) address of a default gateway, or a Service Set Identifier (SSID) of a wireless network;
      • a connection-specific Domain Name Service (DNS) suffix;
      • an Internet Protocol (IP) address of the computer 101, a subnet mask, a default gateway, a Dynamic Host Configuration Protocol (DHCP) server, a DNS server, a Windows™ Internet Naming Service (WINS) server, etc.;
      • communication protocols supported by the network, such as IPv4, IPv6, IPX, NetBEUI, AppleTalk, etc.;
      • date and time of when a DHCP lease was obtained and/or when it will expire;
      • any associated security settings, such as no encryption, IPSec (when implemented as a “bump in stack”), Wi-Fi Protected Access (WPA), Wired Equivalent Privacy (WEP), etc.;
      • whether computer 101 is currently connected to a Microsoft™ Active Directory domain;
      • whether computer 101 is currently connected to a single sign-on network, such as one configured to use Kerberos;
      • network connection speed;
      • any DHCP options selected for the network (if DHCP enabled);
      • any DHCP options selected for the computer 101, for example the boot image to use for booting up the OS of computer 101;
      • whether a specific service (such as an anti-virus update service, an application update service, an OS update service such as Microsoft Windows™ Update, etc.) is currently available via the network;
      • whether a specific network node (such as an anti-virus update server, an application update server, an OS update server such as a server for Microsoft Windows™ Update, etc.) is currently available via the network;
      • DNS SRV records for the network (such as including those specified in RFC 2782);


We now turn to describing the steps of FIG. 2 in more detail. For the interception step 201, OS provisions can be used to intercept file system action requests and registry action requests, as well as to determine whether a file system action request is a an attempt to read a file, write to a file, delete a file, rename a file, move a file, append to a file, truncate a file, get or set permissions on a file, or get or set any other attribute of a file. For example, in a Microsoft Windows™ OS environment, a filter driver can be used to intercept file system requests and determine their type.


In other operating systems, such as Linux or other Unix-derived operating systems, a “shim” module or wrapper mechanism can be used for that purpose. A wrapper mechanism would redirect action attempts (e.g. system calls) to a wrapper library that represents an entry point for the interception code, and which may eventually call into the original library or code that implements the intended action attempt. One way of indicating redirection to the wrapper library comprises setting one or more environment variables indicating library load paths and sequences.


A shim module redirects system calls to custom interception code within the kernel, and the interception code decides whether or not to redirect execution to the kernel code that implements the system call. For example, in a Unix-derived OS, one or more virtual file system (VFS) methods may be patched to facilitate redirection to interception code. These and other techniques for the interception of file system requests should be obvious to one of ordinary skill in the art, and are also briefly described in the above referenced U.S. Pat. No. 7,757,269. Similarly, OS provisions can be used to intercept registry action requests and determine whether the request is an attempt to read or retrieve an entry, delete an entry, write to an entry, create an entry, or perform any other actions on the entry. We continue to illustrate the steps with exemplary references to file system requests.


Once a file system request is intercepted, the request indicates the file object 106 as well as the action that the subject process 104 is attempting to perform on the file object 106. In an embodiment where step 203 further determines the subject process 104 and its subject program file 105, one technique is to start with a unique identifier for the process context of the currently executing subject process 104. This identifier need not necessarily comprise the traditional process identification number (PID) assigned to processes by many operating systems, though it may. For example, in a Microsoft Windows™ OS, an EPROCESS block or a process handle can be used to uniquely identify the subject process 104.


Once an identifier for the subject process 104 is determined, the subject program file 105 and optionally one or more other attributes of the subject process 104 can be determined as well. For some operating systems, such as a Microsoft Windows™ OS, this information may not be available via a published application programming interface (API). In such cases, one technique for inferring the subject program file 105 associated with the subject process 104 is to explicitly keep track of the process-program associations so that they can be referred to when needed. One way to do this is by implementing a “Process Tracking Framework” abstraction which, upon receiving an identifier of a subject process 104 context, indicates the subject program file 105 associated with the subject process 104. The Process Tracking Framework is described in the above-referenced U.S. Pat. No. 7,870,387.


The authorization rules can be arbitrarily complex and may represent any function or Boolean predicate which effectively takes as input a connectivity state, a subject program file 105 of a subject process 104 (and optionally one or more further attributes of the subject process 104), a requested action, and an object 106 (or one or more file object 106 attributes), and outputs an authorization decision. We will now present some specific use cases enabled by the connectivity-based authorization techniques and authorization policies described herein.


One particular example of using connectivity-based action authorization is to implement file read restrictions on a computer. As one example of a read restriction policy, a set of authorization rules can be defined to block file transfer programs resident on computer 101 from accessing a specified set of files R whenever computer 101 has connectivity to any network other than a specific network N. For example, R may represent a set of sensitive files related to a business' operations which should be safeguarded against leaking outside of N. Consequently, as a result of enforcing the connectivity-based authorization with such a read restriction policy, whenever a file transfer program attempts to access a file in R while computer 101 is connected to any network other than N, the attempt will fail.


Another example of using connectivity-based action authorization is to implement file write restrictions on a computer. As one example of a write restriction policy, a set of authorization rules can be defined to restrict a specific program file 105 P's ability to write to the computer's 101 storage 103 depending on the computer's 101 connectivity. For example, P may be specified as a specific hypertext markup language (HTML) browser such as Microsoft Internet Explorer™, and an authorization policy can be defined which restricts P to writing only a restricted set of files whenever computer 101 is suspected to be connected to a potentially unsafe network. For example, Microsoft Internet Explorer™ may be allowed to write any type of file to computer's 101 storage 103 except executable files, scripts, batch files, and dynamic libraries, unless computer 101 is connected to a specific firewalled network N (and to no other potentially unsafe network). Furthermore, Microsoft Internet Explorer™ may be also restricted from modifying existing content on storage 103 unless a connection to N (and no connection to any other network) can be detected. This means that whenever a connection to the firewalled network cannot be detected, Microsoft Internet Explorer™ will be blocked from writing such restricted files to the computer's 101 storage 103 or modifying existing content, thereby reducing the risk of browser-written malware and malicious changes to computer 101.


Other examples of using connectivity-based action authorization comprise extending the concepts disclosed in above-referenced U.S. Patents and co-pending U.S. Patent Applications with the connectivity-based authorization techniques disclosed herein. In particular, U.S. Pat. Nos. 7,757,269 and 7,895,573 describe techniques involving authorization of updates, changes and executions of objects resident on a computer system (such as software, configuration files, registry entries, executables, etc.). The present connectivity-based authorization techniques extend the authorization of updates, changes and executions described in said patents to also take into account the connectivity of the computer 101.


Connectivity-Based Execution Authorization


The process for execution authorization is similar to that for action authorization, except that in some operating systems execution requests may follow a different code path than other file system action requests, and therefore the interception of execution requests may differ in implementation from the interception of other file system action requests.



FIG. 3 is a flow diagram showing a method for connectivity-based execution authorization, according to an embodiment of the present invention. Step 221 intercepts an execution attempt. This step preferably occurs in real-time. Step 222 determines the network connectivity of computer 101.


Before consulting a connectivity-based authorization policy and analogously to step 203 above, step 223 preferably also determines one or more other parameters relevant to an authorization of the attempted execution, such as the target executable file (object 106) of the execution attempt, the subject process 104 that is attempting to execute the executable file (object 106), and the subject program file 105 that represents the code being executed by the subject process 104. Optionally, step 223 also determines one or more other attributes of the above parameters, as was enumerated above. For example attributes of the executable file, refer to the above described object 106 attributes.


Step 224 consults an authorization policy to determine 225 whether the attempted execution is authorized or not. The authorization takes into account the connectivity determined in step 222, and preferably also takes into account any other parameters and attributes as determined in step 223. Optionally, the authorization policy may disregard some of the determined information. For example, the authorization policy may disregard some or all of the executable file (object 106) attributes and consider only the connectivity and the subject program file 105. For example, specific programs may be prohibited from executing unless computer 101 is connected only to a trusted network. As a concrete example for a specific business organization, browsers (such as Microsoft Internet Explorer™) and tools which process proprietary or sensitive data (such as computer-aided design (CAD) tools) may be prohibited from running unless computer 101 is connected to the organization's one or more trusted network. As described above, authorization policies may be stored using any appropriate data structure, for example in a computer readable medium comprising a table with a plurality of entries, with an entry associating a connectivity state with one or more allowed executions and subject programs and objects on the computer.


If the execution is authorized, step 226 allows the execution to proceed and optional step 227 generates one or more log entries and/or alerts indicating that the authorized execution was allowed to proceed. If the execution is not authorized, step 228 blocks the action from proceeding and optional step 229 generates one or more log entries and/or alerts indicating that an unauthorized execution was blocked. Analogous to the above description, steps 228 and 229 are for an enforcement mode embodiment of the present invention. In a tracking mode embodiment, step 228 is skipped, allowing the unauthorized execution to proceed and recoding logs and/or alerts at step 229.


We now turn to describing the steps of FIG. 3 in more detail. One technique for implementing the interception step 221 comprises placing hooks within the process creation and process termination code paths of the OS. This is also described in the above-referenced U.S. Pat. No. 7,870,387. For step 222, the determination of connectivity proceeds as described for step 202 above. For step 223, since an execution request submitted to the OS generally includes an indication of the executable file (object 106) as an argument (e.g. name or handle of a binary file, script file, batch file, interpreted program file, byte code file, etc.), the executable file can be determined by examining the execution request intercepted in step 221. Any other parameters and attributes for step 223 can be determined as described above for step 203. Determination of the subject process (step 223a) can be done as described above, for example by starting with a unique identifier for the process context of the currently executing subject process 104. Determination of subject process 104 attributes (step 223b), such as the actual program file comprising the code for the subject process, can be done by using the Process Tracking Framework described in the above-referenced U.S. Pat. No. 7,870,387.


The disclosed connectivity-based authorization techniques generalize to any other objects and actions which are accessible to running processes. Examples of such other objects include: synchronization objects such as semaphores and locks; inter-process communication (IPC) objects such as shared memory segments; communication objects such as network sockets; local communication abstractions such as pipes; file access objects such as symbolic links (on a Unix-flavored OS) and shortcuts (on a Windows™ OS); running processes; etc. Actions applicable to such objects depend on the specific abstractions, implementations and semantics of the systems managing the objects, with examples including: killing, suspending, unsuspending or sending signals to processes; acquiring or releasing locks; reading from or writing to shared memory segments; opening, reading from, writing to, or closing network sockets or pipes; etc. The adaptation of the program-based authorization steps disclosed herein to such objects and actions (such as interception of action attempts, determination of object attributes, etc.) should be obvious to one of ordinary skill in the art.


Foregoing described embodiments of the invention are provided as illustrations and descriptions. They are not intended to limit the invention to precise form described. In particular, it is contemplated that functional implementation of invention described herein may be implemented equivalently in hardware, software, firmware, and/or other available functional components or building blocks, and that networks may be wired, wireless, or a combination of wired and wireless. Other variations and embodiments are possible in light of above teachings, and it is thus intended that the scope of invention not be limited by this Detailed Description, but rather by Claims following.

Claims
  • 1. A method of authorizing a file system action on a computer, the method steps comprising: intercepting a file system action attempt indicating an action by a process on an object;determining an identifier for the process;using the identifier to determine a program file representing instructions being executed by the process;determining a network connectivity state of the computer, wherein at least one entry in an authorization policy designates an authorization of a particular action for the program file based on the network connectivity state and a type of action associated with the particular action, and wherein a network connectivity state parameter includes an attribute associated with whether the computer is connected to a wired network or a wireless network;determining whether the action is authorized or not based on the authorization policy, wherein the authorization policy includes the network connectivity state parameter, a program file parameter, an object parameter, and an attempted action parameter;allowing the action by the process to proceed when the action is authorized, as indicated by the authorization policy; andresponding when a determination is made that the action is not authorized, wherein said responding comprises a first mode and a second mode, when in the first mode the action is blocked and an alert is generated, the alert including the type of action and the network connectivity state at the time the action was attempted, and when in the second mode the action is allowed to proceed and an alert is generated.
  • 2. A method as recited in claim 1, wherein the determining further determines one or more attributes of the process or of the program file.
  • 3. A method as recited in claim 1, wherein the action indicates a read operation on the object.
  • 4. A method as recited in claim 1, wherein the action indicates a write, append or truncate operation on the object.
  • 5. A method as recited in claim 1, wherein the action indicates a delete, move or rename operation on the object.
  • 6. A computer-implemented method for authorizing registry actions on a computer that includes a processor and a non-transitory computer readable medium, comprising: intercepting a registry action attempt indicating an action by a process on a registry entry;determining an identifier for the process;using the identifier to determine a program file representing instructions being executed by the process;determining a network connectivity state of a computer, wherein at least one entry in an authorization policy designates an authorization of a particular action for the program file based on the network connectivity state and a type of action associated with the particular action, and wherein a network connectivity state parameter includes an attribute associated with whether the computer is connected to a wired network or a wireless network;determining whether the action is authorized or not based on the authorization policy, wherein the authorization policy includes the network connectivity state parameter, a program file parameter, an object parameter, and an attempted action parameter;allowing the action by the process to proceed when the action is authorized, as indicated by the authorization policy; andresponding when a determination is made that the action is not authorized, wherein said responding comprises a first mode and a second mode, when in the first mode the action is blocked and an alert is generated, the alert including the type of action and the network connectivity state at the time the action was attempted, and when in the second mode the action is allowed to proceed and an alert is generated.
  • 7. A method as recited in claim 6, wherein the determining further determines one or more attributes of the processor of the program file.
  • 8. A method as recited in claim 6, wherein the action indicates a read, retrieve, write, create or delete operation on the registry entry.
  • 9. A method for authorizing executions on a computer that includes a processor and a non-transitory computer readable medium, comprising: intercepting an execution attempt indicating a process attempting to execute an executable file;determining an identifier for the process;using the identifier to determine a program file representing instructions being executed by the process;determining a network connectivity state of the computer, wherein at least one entry in an authorization policy designates an authorization of a particular execution for the program file based on the network connectivity state and a type of execution associated with the particular execution, and wherein a network connectivity state parameter includes an attribute associated with whether the computer is connected to a wired network or a wireless network;determining whether the execution is authorized or not based on the authorization policy, wherein the authorization policy includes the network connectivity state parameter, a program file parameter, an object parameter, and an attempted execution parameter;allowing the execution to proceed when the execution is authorized, as indicated by the authorization policy; andresponding when a determination is made that the execution is not authorized, wherein said responding comprises a first mode and a second mode, when in the first mode the execution is blocked and an alert is generated, the alert including the type of action and the network connectivity state at the time the execution was attempted, and when in the second mode the execution is allowed to proceed and an alert is generated.
  • 10. A method as recited in claim 9, wherein the determining further determines one or more attributes of the process or of the program file.
  • 11. At least one non-transitory computer readable medium having instructions stored thereon, the instructions when executed by a processor cause the processor to: intercept a file system action attempt indicating an action by a process on an object;determine an identifier for the process;use the identifier to determine a program file representing instructions being executed by the process;determine a network connectivity state of the computer, wherein at least one entry in an authorization policy designates an authorization of a particular action for the program file based on the network connectivity state and a type of action associated with the particular action, and wherein a network connectivity state parameter includes an attribute associated with whether the computer is connected to a wired network or a wireless network;determine whether the action is authorized or not based on the authorization policy, wherein the authorization policy includes the network connectivity state parameter, a program file parameter, an object parameter, and an attempted action parameter;allow the action by the process to proceed when the action is authorized, as indicated by the authorization policy; andrespond when a determination is made that the action is not authorized, wherein a response comprises one of a first mode and a second mode, when in the first mode the action is blocked and an alert is generated, the alert including the type of action and the network connectivity state at the time the action was attempted, and when in the second mode the action is allowed to proceed and an alert is generated.
  • 12. At least one non-transitory computer readable medium having instructions stored thereon, the instructions when executed by a processor cause the processor to: intercept a registry action attempt indicating an action by a process on a registry entry;determine an identifier for the process;use the identifier to determine a program file representing instructions being executed by the process;determine a network connectivity state of a computer, wherein at least one entry in an authorization policy designates an authorization of a particular action for the program file based on the network connectivity state and a type of action associated with the particular action, and wherein a network connectivity state parameter includes an attribute associated with whether the computer is connected to a wired network or a wireless network;determine whether the action is authorized or not based on the authorization policy, wherein the authorization policy includes the network connectivity state parameter, a program file parameter, an object parameter, and an attempted action parameter;allow the action by the process to proceed when the action is authorized, as indicated by the authorization policy; andrespond when a determination is made that the action is not authorized, wherein a response comprises one of a first mode and a second mode, when in the first mode the action is blocked and an alert is generated, the alert including the type of action and the network connectivity state at the time the action was attempted, and when in the second mode the action is allowed to proceed and an alert is generated.
  • 13. At least one non-transitory computer readable medium having instructions stored thereon, the instructions when executed by a processor cause the processor to: intercept an execution attempt indicating a process attempting to execute an executable file;determine an identifier for the process;use the identifier to determine a program file representing instructions being executed by the process;determine a network connectivity state of the computer, wherein at least one entry in an authorization policy designates an authorization of a particular execution for the program file based on the network connectivity state and a type of execution associated with the particular execution, and wherein a network connectivity state parameter includes an attribute associated with whether the computer is connected to a wired network or a wireless network;determine whether the execution is authorized or not based on the authorization policy, wherein the authorization policy includes the network connectivity state parameter, a program file parameter, an object parameter, and an attempted execution parameter;allow the execution to proceed when the execution is authorized, as indicated by the authorization policy; andrespond when a determination is made that the execution is not authorized, wherein a response comprises one of a first mode and a second mode, when in the first mode the execution is blocked and an alert is generated, the alert including the type of action and the network connectivity state at the time the execution was attempted, and when in the second mode the execution is allowed to proceed and an alert is generated.
US Referenced Citations (244)
Number Name Date Kind
4688169 Joshi Aug 1987 A
4982430 Frezza et al. Jan 1991 A
5155847 Kirouac et al. Oct 1992 A
5222134 Waite et al. Jun 1993 A
5390314 Swanson Feb 1995 A
5521849 Adelson et al. May 1996 A
5560008 Johnson et al. Sep 1996 A
5699513 Feigen et al. Dec 1997 A
5778226 Adams et al. Jul 1998 A
5778349 Okonogi Jul 1998 A
5787427 Benantar et al. Jul 1998 A
5842017 Hookway et al. Nov 1998 A
5907709 Cantey et al. May 1999 A
5907860 Garibay et al. May 1999 A
5926832 Wing et al. Jul 1999 A
5974149 Leppek Oct 1999 A
5987610 Franczek et al. Nov 1999 A
5987611 Freund Nov 1999 A
5991881 Conklin et al. Nov 1999 A
6064815 Hohensee et al. May 2000 A
6073142 Geiger et al. Jun 2000 A
6141698 Krishnan et al. Oct 2000 A
6192401 Modiri et al. Feb 2001 B1
6192475 Wallace Feb 2001 B1
6256773 Bowman-Amuah Jul 2001 B1
6275938 Bond et al. Aug 2001 B1
6321267 Donaldson Nov 2001 B1
6338149 Ciccone, Jr. et al. Jan 2002 B1
6356957 Sanchez, II et al. Mar 2002 B2
6393465 Leeds May 2002 B2
6442686 McArdle et al. Aug 2002 B1
6449040 Fujita Sep 2002 B1
6453468 D'Souza Sep 2002 B1
6460050 Pace et al. Oct 2002 B1
6587877 Douglis et al. Jul 2003 B1
6611925 Spear Aug 2003 B1
6662219 Nishanov et al. Dec 2003 B1
6748534 Gryaznov et al. Jun 2004 B1
6769008 Kumar et al. Jul 2004 B1
6769115 Oldman Jul 2004 B1
6795966 Lim et al. Sep 2004 B1
6832227 Seki et al. Dec 2004 B2
6834301 Hanchett Dec 2004 B1
6847993 Novaes et al. Jan 2005 B1
6907600 Neiger et al. Jun 2005 B2
6918110 Hundt et al. Jul 2005 B2
6930985 Rathi et al. Aug 2005 B1
6934755 Saulpaugh et al. Aug 2005 B1
6988101 Ham et al. Jan 2006 B2
6988124 Douceur et al. Jan 2006 B2
7007302 Jagger et al. Feb 2006 B1
7010796 Strom et al. Mar 2006 B1
7024548 O'Toole, Jr. Apr 2006 B1
7039949 Cartmell et al. May 2006 B2
7065767 Kambhammettu et al. Jun 2006 B2
7069330 McArdle et al. Jun 2006 B1
7082456 Mani-Meitav et al. Jul 2006 B2
7093239 van der Made Aug 2006 B1
7124409 Davis et al. Oct 2006 B2
7139916 Billingsley et al. Nov 2006 B2
7152148 Williams et al. Dec 2006 B2
7159036 Hinchliffe et al. Jan 2007 B2
7177267 Oliver et al. Feb 2007 B2
7203864 Goin et al. Apr 2007 B2
7251655 Kaler et al. Jul 2007 B2
7290266 Gladstone et al. Oct 2007 B2
7302558 Campbell et al. Nov 2007 B2
7330849 Gerasoulis et al. Feb 2008 B2
7346781 Cowle et al. Mar 2008 B2
7349931 Horne Mar 2008 B2
7350204 Lambert et al. Mar 2008 B2
7353501 Tang et al. Apr 2008 B2
7363022 Whelan et al. Apr 2008 B2
7370360 van der Made May 2008 B2
7406517 Hunt et al. Jul 2008 B2
7441265 Staamann et al. Oct 2008 B2
7464408 Shah et al. Dec 2008 B1
7506155 Stewart et al. Mar 2009 B1
7506170 Finnegan Mar 2009 B2
7506364 Vayman Mar 2009 B2
7546333 Alon et al. Jun 2009 B2
7546594 McGuire et al. Jun 2009 B2
7552479 Conover et al. Jun 2009 B1
7577995 Chebolu et al. Aug 2009 B2
7607170 Chesla Oct 2009 B2
7657599 Smith Feb 2010 B2
7669195 Qumei Feb 2010 B1
7685635 Vega et al. Mar 2010 B2
7698744 Fanton et al. Apr 2010 B2
7703090 Napier et al. Apr 2010 B2
7757269 Roy-Chowdhury et al. Jul 2010 B1
7765538 Zweifel et al. Jul 2010 B2
7783735 Sebes et al. Aug 2010 B1
7809704 Surendran et al. Oct 2010 B2
7818377 Whitney et al. Oct 2010 B2
7823148 Deshpande et al. Oct 2010 B2
7836504 Ray et al. Nov 2010 B2
7840968 Sharma et al. Nov 2010 B1
7849507 Bloch et al. Dec 2010 B1
7856661 Sebes et al. Dec 2010 B1
7865931 Stone et al. Jan 2011 B1
7870387 Bhargava et al. Jan 2011 B1
7873955 Sebes Jan 2011 B1
7895573 Bhargava et al. Feb 2011 B1
7908653 Brickell et al. Mar 2011 B2
7937455 Saha et al. May 2011 B2
7966659 Wilkinson et al. Jun 2011 B1
7996836 McCorkendale et al. Aug 2011 B1
8015388 Rihan et al. Sep 2011 B1
8015563 Araujo et al. Sep 2011 B2
8195931 Sharma et al. Jun 2012 B1
8234713 Roy-Chowdhury et al. Jul 2012 B2
8307437 Sebes et al. Nov 2012 B2
8321932 Bhargava et al. Nov 2012 B2
8332929 Bhargava et al. Dec 2012 B1
8381284 Dang et al. Feb 2013 B2
20020056076 van der Made May 2002 A1
20020069367 Tindal et al. Jun 2002 A1
20020083175 Afek et al. Jun 2002 A1
20020099671 Mastin Crosbie et al. Jul 2002 A1
20030014667 Kolichtchak Jan 2003 A1
20030023736 Abkemeier Jan 2003 A1
20030033510 Dice Feb 2003 A1
20030073894 Chiang et al. Apr 2003 A1
20030074552 Olkin et al. Apr 2003 A1
20030115222 Oashi et al. Jun 2003 A1
20030120601 Ouye et al. Jun 2003 A1
20030120811 Hanson et al. Jun 2003 A1
20030120935 Teal et al. Jun 2003 A1
20030145232 Poletto et al. Jul 2003 A1
20030163718 Johnson et al. Aug 2003 A1
20030167292 Ross Sep 2003 A1
20030167399 Audebert et al. Sep 2003 A1
20030200332 Gupta et al. Oct 2003 A1
20030212902 van der Made Nov 2003 A1
20030220944 Schottland et al. Nov 2003 A1
20030221190 Deshpande et al. Nov 2003 A1
20040003258 Billingsley et al. Jan 2004 A1
20040015554 Wilson Jan 2004 A1
20040051736 Daniell Mar 2004 A1
20040054928 Hall Mar 2004 A1
20040143749 Tajalli et al. Jul 2004 A1
20040167906 Smith et al. Aug 2004 A1
20040230963 Rothman et al. Nov 2004 A1
20040243678 Smith et al. Dec 2004 A1
20040255161 Cavanaugh Dec 2004 A1
20050018651 Yan et al. Jan 2005 A1
20050086047 Uchimoto et al. Apr 2005 A1
20050108516 Balzer et al. May 2005 A1
20050108562 Khazan et al. May 2005 A1
20050114672 Duncan et al. May 2005 A1
20050132346 Tsantilis Jun 2005 A1
20050228990 Kato et al. Oct 2005 A1
20050235360 Pearson Oct 2005 A1
20050257207 Blumfield et al. Nov 2005 A1
20050257265 Cook et al. Nov 2005 A1
20050260996 Groenendaal Nov 2005 A1
20050262558 Usov Nov 2005 A1
20050273858 Zadok et al. Dec 2005 A1
20050283823 Okajo et al. Dec 2005 A1
20050289538 Black-Ziegelbein et al. Dec 2005 A1
20060004875 Baron et al. Jan 2006 A1
20060015501 Sanamrad et al. Jan 2006 A1
20060037016 Saha et al. Feb 2006 A1
20060080656 Cain et al. Apr 2006 A1
20060085785 Garrett Apr 2006 A1
20060101277 Meenan et al. May 2006 A1
20060133223 Nakamura et al. Jun 2006 A1
20060136910 Brickell et al. Jun 2006 A1
20060136911 Robinson et al. Jun 2006 A1
20060195906 Jin et al. Aug 2006 A1
20060200863 Ray et al. Sep 2006 A1
20060230314 Sanjar et al. Oct 2006 A1
20060236398 Trakic et al. Oct 2006 A1
20060259734 Sheu et al. Nov 2006 A1
20070011746 Malpani et al. Jan 2007 A1
20070028303 Brennan Feb 2007 A1
20070039049 Kupferman et al. Feb 2007 A1
20070050579 Hall et al. Mar 2007 A1
20070050764 Traut Mar 2007 A1
20070074199 Schoenberg Mar 2007 A1
20070083522 Nord et al. Apr 2007 A1
20070101435 Konanka et al. May 2007 A1
20070136579 Levy et al. Jun 2007 A1
20070143851 Nicodemus et al. Jun 2007 A1
20070169079 Keller et al. Jul 2007 A1
20070192329 Croft et al. Aug 2007 A1
20070220061 Tirosh et al. Sep 2007 A1
20070220507 Back et al. Sep 2007 A1
20070253430 Minami et al. Nov 2007 A1
20070256138 Gadea et al. Nov 2007 A1
20070271561 Winner et al. Nov 2007 A1
20070300215 Bardsley Dec 2007 A1
20080005737 Saha et al. Jan 2008 A1
20080005798 Ross Jan 2008 A1
20080010304 Vempala et al. Jan 2008 A1
20080022384 Yee et al. Jan 2008 A1
20080034416 Kumar et al. Feb 2008 A1
20080052468 Speirs et al. Feb 2008 A1
20080082977 Araujo et al. Apr 2008 A1
20080120499 Zimmer et al. May 2008 A1
20080141371 Bradicich et al. Jun 2008 A1
20080163207 Reumann et al. Jul 2008 A1
20080163210 Bowman et al. Jul 2008 A1
20080165952 Smith et al. Jul 2008 A1
20080184373 Traut et al. Jul 2008 A1
20080235534 Matthias et al. Sep 2008 A1
20080294703 Craft et al. Nov 2008 A1
20080301770 Kinder Dec 2008 A1
20090007100 Field et al. Jan 2009 A1
20090038017 Durham et al. Feb 2009 A1
20090043993 Ford et al. Feb 2009 A1
20090055693 Budko et al. Feb 2009 A1
20090113110 Xiaoxin et al. Apr 2009 A1
20090144300 Chatley et al. Jun 2009 A1
20090150639 Ohata Jun 2009 A1
20090249053 Zimmer et al. Oct 2009 A1
20090249438 Litvin et al. Oct 2009 A1
20100071035 Budko et al. Mar 2010 A1
20100100970 Chowdhury et al. Apr 2010 A1
20100114825 Siddegowda May 2010 A1
20100250895 Adams et al. Sep 2010 A1
20100281133 Brendel Nov 2010 A1
20100293225 Sebes et al. Nov 2010 A1
20100332910 Qasim et al. Dec 2010 A1
20110029772 Fanton et al. Feb 2011 A1
20110035423 Kobayashi et al. Feb 2011 A1
20110047543 Mohinder Feb 2011 A1
20110077948 Sharma et al. Mar 2011 A1
20110078550 Nabutovsky Mar 2011 A1
20110093842 Sebes Apr 2011 A1
20110113467 Agarwal et al. May 2011 A1
20110119760 Sebes et al. May 2011 A1
20110138461 Bhargava et al. Jun 2011 A1
20120030731 Bhargava et al. Feb 2012 A1
20120030750 Bhargava et al. Feb 2012 A1
20120278853 Chowdhury et al. Nov 2012 A1
20120290827 Bhargava et al. Nov 2012 A1
20120297176 Bhargava et al. Nov 2012 A1
20130024934 Sebes et al. Jan 2013 A1
20130091318 Bhattacharjee et al. Apr 2013 A1
20130097355 Dang et al. Apr 2013 A1
20130097356 Dang et al. Apr 2013 A1
20130117823 Dang et al. May 2013 A1
Foreign Referenced Citations (10)
Number Date Country
1 482 394 Dec 2004 EP
2 037 657 Mar 2009 EP
WO 9844404 Oct 1998 WO
WO 0184285 Nov 2001 WO
WO 2006012197 Feb 2006 WO
WO 2006124832 Nov 2006 WO
WO 2008054997 May 2008 WO
WO 2011059877 May 2011 WO
WO 2012015485 Feb 2012 WO
WO 2012-015489 Feb 2012 WO
Non-Patent Literature Citations (77)
Entry
Kurt Gutzmann, “Access Control and Session Management in the HTTP Environment,”Jan./Feb. 2001, pp. 26-35, IEEE Internet Computing.
U.S. Appl. No. 11/379,953, entitled “Software Modification by Group to Minimize Breakage,” filed Apr. 24, 2006, Inventor(s): E. John Sebes et al.
U.S. Appl. No. 11/277,596, entitled “Execution Environment File Inventory,” filed Mar. 27, 2006, Inventor(s): Rishi Bhargava et al.
U.S. Appl. No. 10/651,591, entitled “Method and System for Containment of Networked Application Client Software by Explicit Human Input,” filed Aug. 29, 2003, Inventor(s): Rosen Sharma et al.
U.S. Appl. No. 10/806,578, entitled Containment of Network communication, filed Mar. 22, 2004, Inventor(s): E. John Sebes et al.
U.S. Appl. No. 10/739,230, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Dec. 17, 2003, Inventor(s): Rosen Sharma et al.
U.S. Appl. No. 10/935,772, entitled “Solidifying the Executable Software Set of a Computer,” filed Sep. 7, 2004, Inventor(s): E. John Sebes et al.
U.S. Appl. No. 11/060,683, entitled “Distribution and Installation of Solidified Software on a Computer,” filed Feb. 16, 2005, Inventor(s): Bakul Shah et al.
U.S. Appl. No. 11/122,872, entitled “Piracy Prevention Using Unique Module Translation,” filed May 4, 2005, Inventor(s): E. John Sebes et al.
U.S. Appl. No. 11/346,741, entitled “Enforcing Alignment of Approved Changes and Deployed Changes in the Software Change Life-Cycle,” filed Feb. 2, 2006, Inventor(s): Rahul Roy-Chowdhury et al.
U.S. Appl. No. 11/182,320, entitled “Classification of Software on Networked Systems,” filed Jul. 14, 2005, Inventor(s): E. John Sebes et al.
U.S. Appl. No. 11/400,085, entitled “Program-Based Authorization,” filed Apr. 7, 2006, Inventor(s): Rishi Bhargava et al.
U.S. Appl. No. 12/290,380, entitled “Application Change Control,” filed Oct. 29, 2008, Inventor(s): Rosen Sharma et al.
U.S. Appl. No. 12/008,274, entitled Method and Apparatus for Process Enforced Configuration Management, filed Jan. 9, 2008, Inventor(s): Rishi Bhargava et al.
U.S. Appl. No. 12/291,232, entitled “Method of and System for Computer System State Checks,” filed Nov. 7, 2008, inventor(s): Rishi Bhargava et al.
U.S. Appl. No. 12/322,220, entitled “Method of and System for Malicious Software Detection Using Critical Address Space Protection,” filed Jan. 29, 2009, Inventor(s): Suman Saraf et al.
U.S. Appl. No. 12/322,321, entitled “Method of and System for Computer System Denial-of-Service Protection,” filed Jan. 29, 2009, Inventor(s): Suman Saraf et al.
U.S. Appl. No. 12/426,859, entitled “Method of and System for Reverse Mapping Vnode Pointers,” filed Apr. 20, 2009, Inventor(s): Suman Saraf et al.
U.S. Appl. No. 12/545,609, entitled “System and Method for Enforcing Security Policies in a Virtual Environment,” filed Aug. 21, 2009, Inventor(s): Amit Dang et al.
U.S. Appl. No. 12/545,745, entitled “System and Method for Providing Address Protection in a Virtual Environment,” filed Aug. 21, 2009, Inventor(s): Preet Mohinder.
Eli M. Dow, et al., “The Xen Hypervisor,” INFORMIT, dated Apr. 10, 2008, http://www.informit.com/articles/printerfriendly.aspx?p=1187966, printed Aug. 11, 2009 (13 pages).
“Xen Architecture Overview,” Xen, dated Feb. 13, 2008, Version 1.2, http://wiki.xensource.com/xenwiki/XenArchitecture?action=AttachFile&do=get&target=Xen+architecture—Q1+2008.pdf, printed Aug. 18, 2009 (9 pages).
U.S. Appl. No. 12/551,673, entitled “Piracy Prevention Using Unique Module Translation,” filed Sep. 1, 2009, Inventor(s): E. John Sebes et al.
U.S. Appl. No. 12/615,521, entitled “System and Method for Preventing Data Loss Using Virtual Machine Wrapped Applications,” filed Nov. 10, 2009, Inventor(s): Sonali Agarwal, et al.
Desktop Management and Control, Website: http://www.vmware.com/solutions/desktop/, printed Oct. 12, 2009, 1 page.
Secure Mobile Computing, Website: http://www.vmware.com/solutions/desktop/mobile.html, printed Oct. 12, 2009, 2 pages.
U.S. Appl. No. 12/636,414, entitled “System and Method for Managing Virtual Machine Configurations,” filed Dec. 11, 2009, Inventor(s): Harvinder Singh Sawhney, et al.
U.S. Appl. No. 12/839,856, entitled “Containment of Network Communication,” filed Jul. 20, 2010, Inventor(s) E. John Sebes, et al.
U.S. Appl. No. 12/844,892, entitled “System and Method for Protecting Computer Networks Against Malicious Software,” filed Jul. 28, 2010, Inventor(s) Rishi Bhargava, et al.
U.S. Appl. No. 12/844,964, entitled “System and Method for Network Level Protection Against Malicious Software,” filed Jul. 28, 2010, Inventor(s) Rishi Bhargava, et al.
U.S. Appl. No. 12/880,125, entitled “System and Method for Clustering Host Inventories,” filed Sep. 12, 2010, Inventor(s) Rishi Bhargava, et al.
U.S. Appl. No. 12/946,081, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Nov. 15, Inventor(s) Rosen Sharma, et al.
U.S. Appl. No. 13/022,148, entitled “Execution Environment File Inventory,” filed Feb. 7, 2011, Inventor(s) Rishi Bhargava, et al.
U.S. Appl. No. 13/012,138, entitled “System and Method for Selectively Grouping and Managing Program Files,” filed Jan. 24, 2011, Inventor(s) Rishi Bhargava, et al.
U.S. Appl. No. 12/975,745, entitled “Program-Based Authorization,” filed Dec. 22, 2010, Inventor(s) Rishi Bhargava, et al.
U.S. Appl. No. 12/976,159, entitled “Solidifying the Executable Software Set of a Computer,” filed Dec. 22, 2010, Inventor E. John Sebes.
Gaurav et al., “Countering Code-Injection Attacks with Instruction-Set Randomization,” Oct. 27-31, 2003, ACM, pp. 272-280.
Barrantes et al., “Randomized Instruction Set Emulation to Dispurt Binary Code Injection Attacks,” Oct. 27-31, 2003, ACM, pp. 281-289.
IA-32 Intel® Architecture Software Developer's Manual, vol. 3B; Jun. 2006; pp. 13, 15, 22 and 145-146.
Check Point Software Technologies Ltd.: “ZoneAlarm Security Software User Guide Version 9”, Aug. 24, 2009, XP002634548, 259 pages, retrieved from Internet: URL:http://download.zonealarm.com/bin/media/pdf/zaclient91—user—manual.pdf.
Notification of Transmittal of the International Search Report and the Written Opinion of the International Searching Authority (1 page), International Search Report (4 pages), and Written Opinion (3 pages), mailed Mar. 2, 2011, International Application No. PCT/US2010/055520.
Notification of Transmittal of the International Search Report and the Written Opinion of the International Searching Authority, or the Declaration (1 page), International Search Report (6 pages), and Written Opinion of the International Searching Authority (10 pages) for International Application No. PCT/US2011/020677 mailed Jul. 22, 2011.
Notification of Transmittal of the International Search Report and Written Opinion of the International Searching Authority, or the Declaration (1 page), International Search Report (3 pages), and Written Opinion of the International Search Authority (6 pages) for International Application No. PCT/US2011/024869 mailed Jul. 14, 2011.
Tal Garfinkel, et al., “Terra: A Virtual Machine-Based Platform for Trusted Computing,” XP-002340992, SOSP'03, Oct. 19-22, 2003, 14 pages.
U.S. Appl. No. 13/037,988, entitled “System and Method for Botnet Detection by Comprehensive Email Behavioral Analysis,” filed Mar. 1, 2011, Inventor(s) Sven Krasser, et al.
Notification of International Preliminary Report on Patentability and Written Opinion mailed May 24, 2012 for International Application No. PCT/US2010/055520, 5 pages.
Sailer et al., sHype: Secure Hypervisor Approach to Trusted Virtualized Systems, IBM research Report, Feb. 2, 2005, 13 pages.
U.S. Appl. No. 13/558,181, entitled “Method and Apparatus for Process Enforced Configuration Management,” filed Jul. 25, 2012, Inventor(s) Rishi Bhargava et al.
U.S. Appl. No. 13/558,227, entitled “Method and Apparatus for Process Enforced Configuration Management,” filed Jul. 25, 2012, Inventor(s) Rishi Bhargava et al.
U.S. Appl. No. 13/558,277, entitled “Method and Apparatus for Process Enforced Configuration Management,” filed Jul. 25, 2012, Inventor(s) Rishi Bhargava et al.
U.S. Appl. No. 12/944,567, entitled “Classification of Software on Networked Systems,” filed Nov. 11, 2010, Inventor(s) E. John Sebes, et al.
U.S. Appl. No. 12/903,993, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Oct. 13, 2010, Inventor(s) Rosen Sharma, et al.
U.S. Appl. No. 12/946,081, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Nov. 15, 2010, Inventor(s) Rosen Sharma, et al.
U.S. Appl. No. 12/946,344, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Nov. 15, 2010, Inventor(s) Rosen Sharma, et al.
Myung-Sup Kim et al., “A load cluster management system using SNMP and web”, [Online], May 2002, pp. 367-378, [Retrieved from Internet on Oct. 24, 2012], <http://onlinelibrary.wiley.com/doi/10.1002/nem.453/pdf>.
G. Pruett et al., “BladeCenter systems management software”, [Online], Nov. 2005, pp. 963-975, [Retrieved from Internet on Oct. 24, 2012], <http://citeseerx.Ist.psu.edu/viewdoc/download?doi=10.1.1.91.5091&rep=rep1&type=pdf>.
Philip M. Papadopoulos et al., “NPACI Rocks: tools and techniques for easily deploying manageable Linux clusters” [Online], Aug. 2002, pp. 707-725, [Retrieved from internet on Oct. 24, 2012], <http://onlinelibrary.wiley.com/doi/10.1002/cpe.722/pdf>.
Thomas Staub et al., “Secure Remote Management and Software Distribution for Wireless Mesh Networks”, [Online], Sep. 2007, pp. 1-8, [Retrieved from Internet on Oct. 24, 2012], <http://cds.unibe.ch/research/pub—files/B07.pdf>.
“What's New: McAfee VirusScan Enterprise, 8.8,” copyright 2010, retrieved on Nov. 23, 2012 at https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT—DOCUMENTATION/22000/PD22973/en—US/VSE%208.8%20-%20What's%20New.pdf, 4 pages.
“McAfee Management for Optimized Virtual Environments,” copyright 2012, retrieved on Nov. 26, 2012 at AntiVirushttp://www.mcafee.com/us/resources/data-sheets/ds-move-anti-virus.pdf, 2 pages.
Rivest, R., “The MD5 Message-Digest Algorithm”, RFC 1321, Apr. 1992, retrieved on Dec. 14, 2012 from http://www.ietf.org/rfc/rfc1321.txt, 21 pages.
Hinden, R. and B. Haberman, “Unique Local IPv6 Unicast Addresses”, RFC 4193, Oct. 2005, retrieved on Nov. 20, 2012 from http://tools.ietf.org/pdf/rfc4193.pdf, 17 pages.
“Secure Hash Standard (SHS)”, Federal Information Processing Standards Publication, FIPS PUB 180-4, Mar. 2012, retrieved on Dec. 14, 2012 from http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf, 35 pages.
U.S. Appl. No. 13/728,705, filed Dec. 27, 2012, entitled “Herd Based Scan Avoidance System in a Network Environment,” Inventor(s) Venkata Ramanan, et al.
An Analysis of Address Space Layout Randomization on Windows Vista™, Symantec Advanced Threat Research, copyright 2007 Symantec Corporation, available at http://www.symantec.com/avcenter/reference/Address—Space—Layout—Randomization.pdf, 19 pages.
Bhatkar, et al., “Efficient Techniques for Comprehensive Protection from Memory Error Exploits,” USENIX Association, 14th USENIX Security Symposium, Aug. 1-5, 2005, Baltimore, MD, 16 pages.
Dewan, et al., “A Hypervisor-Based System for Protecting Software Runtime Memory and Persistent Storage,” Spring Simulation Multiconference 2008, Apr. 14-17, 2008, Ottawa, Canada, (available at website: www.vodun.org/papers/2008—secure—locker—submit—v1-1.pdf, printed Oct. 11, 2011), 8 pages.
Shacham, et al., “On the Effectiveness of Address-Space Randomization,” CCS'04, Oct. 25-29, 2004, Washington, D.C., Copyright 2004, 10 pages.
U.S. Appl. No. 13/271,102, filed Oct. 11, 2011, entitled System and Method for Critical Address Space Protection in a Hypervisor Environment, Inventors: Rajbir Bhattacharjee, et al.
International Search Report and Written Opinion mailed Dec. 14, 2012 for International Application No. 04796-1087WO, 9 pages.
U.S. Appl. No. 13/723,445, filed Dec. 21, 2012, entitled “System and Method for Enforcing Security Policies in a Virtual Environment,” Inventor(s) Amit Dang, et al.
U.S. Appl. No. 13/629,765, filed Sep. 28, 2012, entitled “Classification of Software on Networked Systems,” Inventor(s) E. John Sebes, et al.
International Preliminary Report on Patentability and Written Opinion issued Jan. 29, 2013 for International Application No. PCT/US2011/020677 (9 pages).
International Preliminary Report on Patentability and Written Opinion issued Jan. 29, 2013 for International Application No. PCT/US2011/024869 (6 pages).
International Preliminary Report on Patentability and Written Opinion issued Jan. 29, 2013 for International Application No. PCT/US2011/024869, 6 pages.
Office Action received for U.S. Appl. No. 12/844,892, mailed on Jan. 17, 2013, 29 pages.
Response to Office Action received for U.S. Appl. No. 12/844,892, filed Dec. 6, 2012, 34 pages.