TREA

Method and system for controlling communication ports

Follow

Information

  • Patent Grant
  • 8566924
  • Patent Number
    8,566,924
  • Date Filed
    Friday, August 12, 2011
    13 years ago
  • Date Issued
    Tuesday, October 22, 2013
    11 years ago
Information
Abstract
A method for limiting devices and controlling the applications executed from USB ports on personal computers (PCs). More specifically, the present invention relates to a method for ensuring that only authorized devices and applications are accessed from USB ports using software and configuration files on the PC. Using the software application stored on the PC storage device in conjunction with functionality performed by a designed security file server, the use of USB applications and devices is limited to authorized applications and devices.
Description
COPYRIGHT NOTICE

A portion of the disclosure of this patent document may contain material, which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or patent disclosure as it appears in the U.S. Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.


FIELD OF THE INVENTION

The present invention relates to a method for limiting devices and controlling the applications executed from USB ports on personal computers (PCs). More specifically, the present invention relates to a method for ensuring that only authorized devices and applications are accessed from USB ports using software and configuration files on the PC.


BACKGROUND OF THE INVENTION

There has been a significant increase in the use of portable USB storage devices to store, backup, and transfer information between PCs and locations. Conventional methods for controlling the devices and applications that may be accessed from USB ports are insufficient to address the current and growing risk related to these devices and applications.


Individuals, corporations and government agencies are increasingly becoming uncomfortable with allowing employees and other authorized personnel to utilize portable USB storage devices to store or transfer sensitive data and information. However, current methods lack the ability to easily prevent or detect the use of USB storage devices and computer applications accessed from USB storage devices.


Current methods also lack the ability to allow an individual, a corporation or a government agency to effectively control types of other USB non-storage devices which may be utilized. These devices include printers, scanners, cameras, music players, and other devices which may or may not be authorized.


It is estimated that over 130 million portable USB storage devices will be sold worldwide in 2007. The majority of these devices are predicted to be “smart drives”, which will include executable computer programs. These portable USB storage devices and the applications executed from them may not be authorized by the security policy or PC user. Therefore, as a result of the potential exposure related to USB devices, these devices are often prohibited by many corporate and government security policies. Although the devices themselves are often prohibited by policy, it is difficult to prevent or detect their usage with current methods.


This invention addresses these issues through a method which detects the use of portable USB storage devices and the applications executed from these devices and limits the devices and applications based on user defined criteria. Consequently, the invention may also be used to prevent or detect the use of other USB devices such as printers, scanners, cameras, music players, and other devices that can be attached to a USB port on a protected PC.


As a result of the limitations related to current methods, portable USB storage devices are considered to be a significant cause of exposure related to the potential loss of confidential data and information Therefore, a need exists for ensuring that only authorized devices and applications are accessed from USB ports that addresses these shortcomings in the prior art.


SUMMARY OF THE INVENTION

The present invention answers this need by providing a method for limiting the type of device and application that may be connected to, or executed from a USB port.


The invention consists of software that is either pre-loaded on the PC or installed and configured by the user. Software is configured to accommodate the levels of security as required by the user or organization. The configuration of security parameters may vary between PCs and organizations and may be controlled locally by the user or by a central rules database via connection through the internet or intranet connection.


In an embodiment of the present invention, the software is configured to limit (e.g. allow or deny) the use of devices connected via a USB port on the protected PC.


In other embodiments of the invention, the software is configured to limit (e.g. allow or deny) access to the files and applications stored on storage devices connected to the USB port on the protected PC.


It is thus an advantage of the present invention to provide a flexible method for selectively limiting devices and the files and applications executed from USB ports on protected personal computers. To this end, the present invention is new and unique in both its conception and implementation.


Embodiments of the present invention are described below by way of illustration. Other approaches to implementing the present invention and variations of the described embodiments may be constructed by a skilled practitioner and are considered within the scope of the present invention.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 shows the general steps that are followed by the invention in accordance with its method.



FIG. 2 shows an example whereby the invention denies access to an un-authorized USB storage device.



FIG. 3 shows an example whereby the invention allows access to an authorized USB storage device.



FIG. 4 shows an example whereby the invention denies access to an un-authorized USB non-storage device, in this case a printer.



FIG. 5 shows an example whereby the invention allows access to an authorized USB non-storage device, in this case a printer.



FIG. 6 shows an example whereby the invention is configured to get security parameter updates from a central file server.





DETAILED DESCRIPTION OF THE INVENTION

As shown on FIG. 1, the invention which includes a software module and parameter file is installed on the PC and configured to limit the use of USB devices and applications by using the following steps:


(i) Step 1—Continuously monitor all USB ports.


(ii) Step 2—Detect a new device connected to a USB port.


(iii) Step 3—Identify the type of device.


(iv) Step 4—Compare the device type to the list of authorized devices stored in the invention's configuration parameter file.

    • i. Step 5—If the device is authorized allow the connection.
    • ii. Step 6—If the device is unauthorized do not allow the connection.


(v) Steps 7 and 8—If an authorized USB storage device is connected, examine the files and executables contained on the device.

    • i. Steps 9 and 10—If the files and (or) executables are included in the list of authorized files and executables stored in the inventions configuration parameter file, allow these files to be accessed from the USB storage device.
    • ii. Steps 9 and 11 If the files and (or) executables are not included in the list of authorized files and executables stored in the invention's configuration parameter file, deny access to the files.


As shown in FIG. 2, a USB storage device containing unauthorized software is inserted to local or remote PC. The invention installed on the PC and configured in accordance with the security policy detects the unauthorized executable program and prevents the software from functioning.


In another example as shown in FIG. 3, a USB storage device containing authorized software is inserted to a local or remote PC. The invention installed on the PC detects the authorized application and allows the program to execute in accordance with the security policy and configuration rules in place.


In another example as shown in FIG. 4, an unauthorized USB non-storage device such as a printer, scanner, camera or other device is inserted into the USB port of a local or remote PC. The invention installed on the PC detects the unauthorized device and prevents the device from functioning in accordance with the security policy and configuration rules in place.


In another example as shown in FIG. 5, an authorized USB non-storage device such as a printer, scanner, camera or other device is inserted into the USB port of a local or remote PC. The invention installed on the PC detects the authorized device and allows the device to function in accordance with the security policy and configuration rules in place.


As shown in FIG. 6, the invention can also be configured to periodically receive updates from the file server software via internet or intranet connection. The file server is used to update configuration rules to that are used control the USB devices and applications which may be used in accordance with the security policy. The file server is also used as a central repository for storing all logged all security events.


Having thus described the invention in detail, it should be apparent that various modifications and changes may be made without departing from the spirit and scope of the present invention. Consequently, these and other modifications are contemplated to be within the spirit and scope of the following claims.

Claims
  • 1. A memory device having instructions stored thereon that, in response to execution by a processing device, cause the processing device to perform operations comprising: detecting a coupling of a peripheral to an input/output interface of a host;in response to detecting the coupling, identifying a device type of the peripheral;determining whether the identified device type is authorized; andpreventing the peripheral from performing at least one function in accordance with a security policy in response to determining that the identified device type is not authorized.
  • 2. The memory device of claim 1, wherein the operations further comprise allowing the peripheral to perform the at least one function in accordance with the security policy in response to determining that the identified device type is authorized.
  • 3. The memory device of claim 1, wherein the input/output interface comprises a Universal Serial Bus (USB) interface.
  • 4. The memory device of claim 1, wherein the operations further comprise: in response to detecting the coupling, identifying data corresponding to a file or executable program stored on the peripheral;determining whether the corresponding file or executable program is authorized; anddenying access to the identified data over the input/output interface in response to determining that the corresponding file or executable program is not authorized.
  • 5. The memory device of claim 4, wherein determining whether the corresponding file or executable program is authorized is in response to determining that the identified device type is authorized.
  • 6. The memory device of claim 4, wherein the operations further comprise allowing access to the identified data over the input/output interface in response to determining that the file or executable program is authorized.
  • 7. The memory device of claim 1, wherein the operations further comprise downloading a configuration file stored on a remote network device.
  • 8. The memory device of claim 7, wherein determining whether the identified device type is authorized comprises comparing the identified device type to a list of device types indicated by the downloaded configuration file.
  • 9. The memory device of claim 7, wherein the operations further comprise periodically communicating with the remote network device after downloading the configuration file to check for an update corresponding to the downloaded configuration file.
  • 10. The memory device of claim 1, wherein the identified device type comprises at least one selected from a group including a printer device type, a camera device type, a scanner device type, and a non-volatile storage device type.
  • 11. A machine-implemented method, comprising: detecting a coupling of a peripheral to an input/output interface of a host;in response to detecting the coupling, identifying a device type of the peripheral;determining whether the identified device type is authorized; andpreventing the peripheral from performing at least one function in accordance with a security policy in response to determining that the identified device type is not authorized, wherein preventing the peripheral from performing the at least one function in accordance with the security policy comprises changing a configuration stored in a memory of the host.
  • 12. The machine-implemented method of claim 11, further comprising allowing the peripheral to perform the at least one function in accordance with the security policy in response to determining that the identified device type is authorized.
  • 13. The machine-implemented method of claim 11, wherein the input/output interface comprises a Universal Serial Bus (USB) interface.
  • 14. The machine-implemented method of claim 11, further comprising: in response to detecting the coupling, identifying data corresponding to a file or executable program stored on the peripheral;determining whether the corresponding file or executable program is authorized; anddenying access to the identified data over the input/output interface in response to determining that the file or executable program is not authorized.
  • 15. The machine-implemented method of claim 14, wherein determining whether the corresponding file or executable program is authorized is in response to determining that the identified device type is authorized.
  • 16. The machine-implemented method of claim 14, further comprising allowing access to the identified data over the input/output interface in response to determining that the file or executable program is authorized.
  • 17. The machine-implemented method of claim 11, further comprising downloading a configuration file over a network.
  • 18. The machine-implemented method of claim 17, wherein determining whether the identified device type is authorized comprises comparing the identified device type to a list of device types indicated by the downloaded configuration file.
  • 19. The machine-implemented method of claim 17, further comprising periodically communicating over the network after downloading the configuration file to check for an update corresponding to the downloaded configuration file.
  • 20. The machine-implemented method of claim 11, wherein the identified device type comprises at least one selected from a group including a printer device type, a camera device type, a scanner device type, and a non-volatile storage device type.
  • 21. An apparatus, comprising: means for detecting a coupling of a peripheral to an input/output interface of a host;means for identifying a device type of the peripheral in response to detecting the coupling;means for determining whether the identified device type is authorized; andmeans for preventing the peripheral from performing at least one function in accordance with a security policy in response to determining that the identified device type is not authorized.
  • 22. The apparatus of claim 21, wherein the input/output interface comprises a Universal Serial Bus (USB) interface.
RELATED APPLICATIONS

This application is a continuation of and claims priority to U.S. patent application Ser. No. 11/879,162, filed Jul. 16, 2007, now U.S. Pat. No. 8,011,013 and titled “Method for Securing and Controlling USB Ports,” which claims priority to U.S. Provisional Patent Application Ser. No. 60/832,003, filed Jul. 19, 2006. The content of all of these prior applications is hereby fully incorporated herein by reference.

US Referenced Citations (116)
Number Name Date Kind
5331136 Koench et al. Jul 1994 A
5566339 Perholtz et al. Oct 1996 A
5590038 Pitroda Dec 1996 A
5592618 Micka et al. Jan 1997 A
5696909 Wallner Dec 1997 A
5790074 Rangedahl et al. Aug 1998 A
5844776 Yamaguchi et al. Dec 1998 A
5884271 Pitroda Mar 1999 A
5956733 Nakano et al. Sep 1999 A
5979753 Roslak Nov 1999 A
6003008 Postrel et al. Dec 1999 A
6062478 Izaguirre et al. May 2000 A
6166688 Cromer et al. Dec 2000 A
6442682 Pothapragada et al. Aug 2002 B1
6546441 Lum Apr 2003 B1
6553348 Hashimoto Apr 2003 B1
6574716 Dovi Jun 2003 B2
6614349 Proctor et al. Sep 2003 B1
6640217 Scanlan et al. Oct 2003 B1
6704885 Salas-Meza et al. Mar 2004 B1
6925439 Pitroda Aug 2005 B1
6950949 Gilchrist Sep 2005 B1
6957329 Aleksic et al. Oct 2005 B1
7103684 Chen et al. Sep 2006 B2
7111307 Wang Sep 2006 B1
7143289 Denning et al. Nov 2006 B2
7165154 Coombs et al. Jan 2007 B2
7225208 Midgley et al. May 2007 B2
7229016 Bravo Jun 2007 B2
7263190 Moritz Aug 2007 B1
7269732 Kilian-Kehr Sep 2007 B2
7308426 Pitroda Dec 2007 B1
7349871 Labrou Mar 2008 B2
7353382 Labrou Apr 2008 B2
7356510 Durand et al. Apr 2008 B2
7356703 Chebolu et al. Apr 2008 B2
7403743 Welch Jul 2008 B2
7404088 Giobbi Jul 2008 B2
7421516 Minogue et al. Sep 2008 B2
7464862 Bacastow Dec 2008 B2
7552094 Park et al. Jun 2009 B2
7561691 Blight et al. Jul 2009 B2
7574220 Purkayastha et al. Aug 2009 B2
7606560 Labrou Oct 2009 B2
7706369 Roese et al. Apr 2010 B2
7739402 Roese et al. Jun 2010 B2
7801826 Labrou Sep 2010 B2
7822688 Labrou Oct 2010 B2
7841534 Bacastow Nov 2010 B2
8011013 Bacastow Aug 2011 B2
8037304 Rensin et al. Oct 2011 B2
8041947 O'Brien et al. Oct 2011 B2
20020082925 Herwig Jun 2002 A1
20020169979 Zimmer Nov 2002 A1
20020188856 Worby Dec 2002 A1
20020193157 Yamada et al. Dec 2002 A1
20030005193 Seroussi et al. Jan 2003 A1
20030046034 Kitamoto et al. Mar 2003 A1
20030050940 Robinson Mar 2003 A1
20030055792 Kinoshita et al. Mar 2003 A1
20030074575 Hoberock et al. Apr 2003 A1
20030110371 Yang et al. Jun 2003 A1
20030115126 Pitroda Jun 2003 A1
20030135418 Shekhar et al. Jul 2003 A1
20030174167 Poo et al. Sep 2003 A1
20030225971 Oishi et al. Dec 2003 A1
20030233501 Ma et al. Dec 2003 A1
20030236872 Atkinson Dec 2003 A1
20040001088 Stancil et al. Jan 2004 A1
20040003262 England et al. Jan 2004 A1
20040019742 Wei et al. Jan 2004 A1
20040038592 Yang Feb 2004 A1
20040039575 Bum Feb 2004 A1
20040039851 Tang et al. Feb 2004 A1
20040039854 Estakhri et al. Feb 2004 A1
20040095382 Fisher et al. May 2004 A1
20040107170 Labrou Jun 2004 A1
20040158499 Dev Aug 2004 A1
20050010768 Light et al. Jan 2005 A1
20050010835 Childs et al. Jan 2005 A1
20050081198 Cho et al. Apr 2005 A1
20050125513 Sin-Ling Lam et al. Jun 2005 A1
20050138390 Adams et al. Jun 2005 A1
20050144443 Cromer et al. Jun 2005 A1
20050149394 Postrel Jul 2005 A1
20050149684 Sankaran et al. Jul 2005 A1
20050149745 Ishidoshiro Jul 2005 A1
20050216466 Miyamoto et al. Sep 2005 A1
20050247777 Pitroda Nov 2005 A1
20050274798 Bacastow Dec 2005 A1
20060010325 Liu et al. Jan 2006 A1
20060041934 Hetzler Feb 2006 A1
20060206720 Harada et al. Sep 2006 A1
20060209337 Atobe et al. Sep 2006 A1
20060248542 Wang et al. Nov 2006 A1
20060253620 Kang Nov 2006 A1
20070022058 Labrou Jan 2007 A1
20070055635 Kanapur Mar 2007 A1
20070081508 Madhavan et al. Apr 2007 A1
20070124211 Smith May 2007 A1
20070143529 Bacastow Jun 2007 A1
20070198432 Pitroda et al. Aug 2007 A1
20070214047 Antonello et al. Sep 2007 A1
20070245158 Giobbi et al. Oct 2007 A1
20080005426 Bacastow et al. Jan 2008 A1
20080022003 Alve Jan 2008 A1
20080022360 Bacastow Jan 2008 A1
20080081608 Findikli et al. Apr 2008 A1
20080114659 Pitroda May 2008 A1
20080177826 Pitroda Jul 2008 A1
20080227391 Rosenberg Sep 2008 A1
20090010503 Mathiassen et al. Jan 2009 A1
20090150247 Bacastow Jun 2009 A1
20110040641 Bacastow Feb 2011 A1
20110071949 Petrov Mar 2011 A1
20110231274 Joao Sep 2011 A1
Foreign Referenced Citations (1)
Number Date Country
WO 03009620 Jan 2003 WO
Non-Patent Literature Citations (17)
Entry
USB & other portabale storage device usage. Gorge, Mathieu. Computer Fraud & Security. Aug. 2005.
Securing portable storage devices. Watson. Network Security. Jul. 2006.
Tracking USB storage: Analysis of windows artifacts generated by USB storage devices by Carvey et al. ElSevier. Apr. 13, 2005.
Gamble, Richard H., PINning Hopes on e-Commerce Debit, Transaction Trends, Nov. 2010, pgs. 18-20.
Stolowitz Ford Cowger Llp, Listing of Related Cases, Dec. 7, 2011.
Iomega Automatic Backup Manual Table of Contents (hereafter “IAB” archived on Dec. 22, 2002 at: http://web.archive.org/web/200212221720 18/http://www.iomega.com/supportlmanuals/ioauto/main.html (linking to 22 pages hereafter “IAB 1” . . . “IAB22”).
http://web.archive.org/web/20021030 183837/www.iomega.com/support/manuals/ioauto/gs—setup.html (hereafter “IAB 1”) (archived in 2002).
http://web.archive.org!web/2002 1223 082620/www. iomega. com/support/manuals/ioauto/qs—schedule.html (hereafter “IAB II”) (archived in 2002).
http://web.archive.org/web/20021223081144/www.iomega.com/support/manuals/ioauto/qs—cache.html (hereafter “IAB 12”) (archived in 2002).
http://web.archive.org/web/20021223075646/www. iomega. com/support/manuals/ioauto/qs—nomonitor.html (hereafter “IAB 13”) (archived in 2002).
http://web.archive.org!web20021223081714/www.iomega.com/supportlmanuals/ioauto/qs qs—restore.html (hereafter “IAB 15”) (archived in 2002).
U.S. Appl. No. 11/141,837, Apparatus & Method for POS Processing, filed Jun. 1, 2005, Utility, US.
U.S. Appl. No. 11/807,008, Apparatus and Method for Securing Portable USB Storage Devices, filed May 26, 2007, Utility, US.
U.S. Appl. No. 11/879,162, Method for Securing and Controlling USB Ports, filed Jul. 16, 2007, Utility, US.
U.S. Appl. No. 12/283,644, Apparatus & Method for POS Processing, filed Sep. 15, 2008, Utility, US.
U.S. Appl. No. 12/906,375, Apparatus and Method for POS Processing, filed Nov. 18, 2010, Utility, US.
U.S. Appl. No. 13/175,214, Apparatus and Method for Securing Portable USB Storage Devices, filed Jul. 1, 2011, Utility, US.
Related Publications (1)
Number Date Country
20110302568 A1 Dec 2011 US
Provisional Applications (1)
Number Date Country
60832003 Jul 2006 US
Continuations (1)
Number Date Country
Parent 11879162 Jul 2007 US
Child 13208660 US