Processing

Please wait...

Settings

Settings

Goto Application

1. WO2020113085 - IN-STREAM MALWARE PROTECTION

Publication Number WO/2020/113085
Publication Date 04.06.2020
International Application No. PCT/US2019/063730
International Filing Date 27.11.2019
IPC
G06F 21/56 2013.01
GPHYSICS
06COMPUTING; CALCULATING OR COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
55Detecting local intrusion or implementing counter-measures
56Computer malware detection or handling, e.g. anti-virus arrangements
H04L 29/06 2006.01
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
29Arrangements, apparatus, circuits or systems, not covered by a single one of groups H04L1/-H04L27/136
02Communication control; Communication processing
06characterised by a protocol
CPC
G06F 21/54
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
21Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
52during program execution, e.g. stack integrity ; ; Preventing unwanted data erasure; Buffer overflow
54by adding security routines or objects to programs
G06F 2221/031
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
2221Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
031Protect user input by software means
G06F 2221/2125
GPHYSICS
06COMPUTING; CALCULATING; COUNTING
FELECTRIC DIGITAL DATA PROCESSING
2221Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
2125Just-in-time application of countermeasures, e.g., on-the-fly decryption, just-in-time obfuscation or de-obfuscation
H04L 63/02
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
63Network architectures or network communication protocols for network security
02for separating internal from external traffic, e.g. firewalls
H04L 63/145
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
63Network architectures or network communication protocols for network security
14for detecting or protecting against malicious traffic
1441Countermeasures against malicious traffic
145the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
H04L 63/1466
HELECTRICITY
04ELECTRIC COMMUNICATION TECHNIQUE
LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
63Network architectures or network communication protocols for network security
14for detecting or protecting against malicious traffic
1441Countermeasures against malicious traffic
1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Applicants
  • TRUSTED KNIGHT CORPORATION [US]/[US]
Inventors
  • MCKENDALL, Theodore
  • RESCHKE, Trevor
  • CARLSON, Jacob
  • LIVSHITS, Stanislav
Agents
  • BEYER, Steve D
Priority Data
16/206,69230.11.2018US
Publication Language English (EN)
Filing Language English (EN)
Designated States
Title
(EN) IN-STREAM MALWARE PROTECTION
(FR) PROTECTION CONTRE LES LOGICIELS MALVEILLANTS EN CONTINU
Abstract
(EN)
A protector server located in the Web traffic between an end-user computer and a Web site intercepts requests for Web pages from the Web site. The server inserts protection code into a Web page returned to the user computer which executes within the user browser. The code disables malware executing within the user browser by establishing itself as an event handler, finding likely malware in the stack, and disabling it. The code thwarts host-based malware by establishing itself as an event handler, and encrypting data fields of forms before the form is submitting to the operating system of the user computer. The code detects a Web inject attack by calculating a fingerprint for a form on the Web page and sending that fingerprint to the server. The server compares that fingerprint with one previously calculated for the form and generates an alert if different. The code detects a phishing attack by sending a notification to the server indicating within which domain it is executing. The server generates an alert if the received domain is different from an expected domain. The server provides a Web application firewall.
(FR)
L'invention concerne un serveur de protection situé dans le trafic Web entre un ordinateur d'utilisateur final et un site Web intercepte des demandes pour des pages Web du site Web. Le serveur insère un code de protection dans une page Web renvoyée à l'ordinateur de l'utilisateur qui s'exécute dans le navigateur d'utilisateur. Le code désactive un logiciel malveillant s'exécutant à l'intérieur du navigateur de l'utilisateur en s'établissant lui-même en tant que gestionnaire d'événement, en détectant un logiciel malveillant probable dans la pile, et en le désactivant. Le code déjoue des logiciels malveillants basés chez l'hôte en s'établissant lui-même en tant que gestionnaire d'événements, et en cryptant des champs de données de formulaires avant la soumission du formulaire au système d'exploitation de l'ordinateur de l'utilisateur. Le code détecte une attaque injectée par le Web en calculant une empreinte digitale pour un formulaire sur la page Web et en envoyant cette empreinte digitale au serveur. Le serveur compare cette empreinte digitale à une empreinte précédemment calculée pour le formulaire et génère une alerte si elle est différente. Le code détecte une attaque d'hameçonnage par envoi d'une notification au serveur indiquant dans quel domaine elle est exécutée. Le serveur génère une alerte si le domaine reçu est différent d'un domaine attendu. Le serveur fournit un pare-feu d'application Web.
Also published as
Latest bibliographic data on file with the International Bureau