| 发明名称 |
SECURE SYSTEM FOR ALLOWING THE EXECUTION OF AUTHORIZED COMPUTER PROGRAM CODE |
| 摘要 |
Systems and methods for selective authorization of code modules are provided. According to one embodiment, a kernel-level driver within a kernel of an operating system of a computer system intercepts activity in connection with a file system associated with the computer system or the operating system relating to a code module. A determination is made by the kernel-level driver regarding whether to allow the intercepted activity to proceed by performing a real-time authentication process of the code module with reference to a multi-level whitelist database architecture, including a local copy of a remote global whitelist database hosted by a trusted their-party service provider, a local whitelist database and a most recently used (MRU) cache. When the intercepted activity is allowed to proceed as a result of the determination, the code module is permitted by the kernel-level driver to be loaded and executed by the computer system. |
| 申请公布号 |
US2016253491(A1) |
申请公布日期 |
2016.09.01 |
| 申请号 |
US201615154205 |
申请日期 |
2016.05.13 |
| 申请人 |
Fortinet, Inc. |
发明人 |
Fanton Andrew F.;Gandee John J.;Lutton William H.;Harper Edwin L.;Godwin Kurt E.;Rozga Anthony A. |
| 分类号 |
G06F21/44;G06F21/52;H04L9/06;G06F21/60;H04L29/06;H04L9/32;G06F21/51;G06F21/53 |
主分类号 |
G06F21/44 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method comprising:
intercepting, by a kernel-level driver within a kernel of an operating system of a computer system, activity in connection with a file system associated with the computer system or the operating system relating to a code module; determining, by the kernel-level driver, whether to allow the intercepted activity to proceed by performing a real-time authentication process of the code module with reference to a multi-level whitelist database architecture, wherein the multi-level whitelist database architecture includes:
a local copy of a remote global whitelist database hosted by a trusted third-party service provider containing cryptographic hash values of approved code modules, which have been identified by multiple sources as not containing viruses or malicious code, wherein the local copy of the remote global whitelist database is hosted within an enterprise network with which the computer system is associated;a local whitelist database stored within the file system including a subset of the cryptographic hash values of the approved code modules; anda most recently used (MRU) cache maintained within a random access memory of the computer system and containing entries corresponding to code modules that have previously been authenticated by the real-time authentication process, the entries each including information indicative of whether the corresponding code module was previously affirmatively authenticated by the real-time authentication process; and when the intercepted activity is allowed to proceed as a result of said determining, permitting, by the kernel-level driver, the code module to be loaded and executed by the computer system. |
| 地址 |
Sunnyvale CA US |
