Determining internet-based object information using public internet search

US 10,104,106 B2
Filed: 03/31/2015
Issued: 10/16/2018
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

a memory storing instructions; and

one or more processors, communicably connected to the memory, to;

intercept an object that is en route, over a network, to a client device;

execute the object to determine first object information for the object, the first object information including object content and object metadata;

parse the first object information into one or more strings;

cause an Internet search, based on a string of the one or more strings, to be performed to determine Internet search results,the string being provided as one or more Internet search queries for the Internet search;

receive the Internet search results based on causing the Internet search to be performed,the Internet search results being related to the first object information;

perform analysis of the Internet search results, based on a set of rules, to determine a set of conclusions,the set of rules including a measure of credibility of the Internet search results, andthe set of conclusions including at least one of;

a first conclusion of whether a top Internet search result is a malware website,a second conclusion of whether a forum post indicates that the object is malware, ora third conclusion of whether a particular Internet search result indicates that the object is malware;

store or provide the set of conclusions to permit a determination as to whether the object is malicious; and

modify a predictive model based on the determination as to whether the object is malicious,the predictive model being used for determining second object information for unknown objects.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may receive an object. The device may determine object information for the object. The device may cause an internet search, based on the object information, to be performed to determine Internet search results. The object information may be provided as one or more Internet search queries for the Internet search. The device may receive the Internet search results based on causing the Internet search to be performed. The Internet search results may be related to the object information. The device may analyze the Internet search results to determine Internet-based object information. The device may store or provide the Internet-based object information to permit a determination as to whether the object is malicious.

Citations

20 Claims

1. A device, comprising:
- a memory storing instructions; and
  
  one or more processors, communicably connected to the memory, to;
  
  intercept an object that is en route, over a network, to a client device;
  
  execute the object to determine first object information for the object, the first object information including object content and object metadata;
  
  parse the first object information into one or more strings;
  
  cause an Internet search, based on a string of the one or more strings, to be performed to determine Internet search results,the string being provided as one or more Internet search queries for the Internet search;
  
  receive the Internet search results based on causing the Internet search to be performed,the Internet search results being related to the first object information;
  
  perform analysis of the Internet search results, based on a set of rules, to determine a set of conclusions,the set of rules including a measure of credibility of the Internet search results, andthe set of conclusions including at least one of;
  
  a first conclusion of whether a top Internet search result is a malware website,a second conclusion of whether a forum post indicates that the object is malware, ora third conclusion of whether a particular Internet search result indicates that the object is malware;
  
  store or provide the set of conclusions to permit a determination as to whether the object is malicious; and
  
  modify a predictive model based on the determination as to whether the object is malicious,the predictive model being used for determining second object information for unknown objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device of claim 1, where the one or more processors, when parsing the first object information into the one or more strings, are to:
    - parse the object content into the string.
  - 3. The device of claim 1, where the one or more processors, when parsing the first object information into the one or more strings, are to:
    - parse the object metadata into the string.
  - 4. The device of claim 1, where the one or more processors are further to:
    - perform a static analysis to determine third object information,the third object information being determined without opening or executing the object.
  - 5. The device of claim 1, where the one or more processors are further to:
    - determine a classification of the object based on the set of conclusions,the classification indicating whether the object is safe or unsafe.
  - 6. The device of claim 1, where the predictive model is generated by applying a machine learning algorithm to a known object and known Internet search results associated with the known object;
    - andwhere the one or more processors, when performing the analysis of the Internet search results, are to;
      
      perform the analysis of the Internet search results associated with the object based on the predictive model to determine the set of conclusions.
  - 7. The device of claim 1, where the one or more processors are further to:
    - notify a network administrator based on the determination as to whether the object is malicious.

8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  intercept an object that is en route, over a network, to a client device,first object content being included in the object;
  
  execute the object to determine the first object content for the object;
  
  parse the first object content into a string;
  
  process the string to generate a plurality of Internet search queries;
  
  submit the plurality of Internet search queries to a search engine device;
  
  receive, from the search engine device, a plurality of Internet search results based on the plurality of Internet search queries;
  
  perform analysis of the plurality of Internet search results, based on a set of rules, to determine a set of conclusions,the set of rules including a measure of credibility of the Internet search results, andthe set of conclusions including at least one of;
  
  a first conclusion of whether a top Internet search result is a malware web site,a second conclusion of whether a forum post indicates that the object is malware, ora third conclusion of whether a particular Internet search result indicates that the object is malware;
  
  store or provide the set of conclusions to permit a determination as to whether the object is malicious;
  
  add information, describing the object, to a blacklist based on the determination as to whether object is malicious; and
  
  modify a predictive model based on the determination as to whether the object is malicious,the predictive model being used for determining second object content for unknown objects.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine a classification of the object based on the set of conclusions,the classification indicating whether the object is malicious.
  - 10. The non-transitory computer-readable medium of claim 8, where the information is first information;
    - where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      determine object metadata for the object,the object metadata including second information describing the object; and
      
      process the object metadata to obtain one or more Internet search queries; and
      
      where the one or more instructions, that cause the one or more processors to submit the plurality of Internet search queries, cause the one or more processors to;
      
      submit the one or more Internet search queries to the search engine device.
  - 11. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - perform a static analysis to determine second object content,the second object content being determined without opening or executing the object.
  - 12. The non-transitory computer-readable medium of claim 8, where the one or more instructions, that cause the one or more processors to execute the object, cause the one or more processors to:
    - execute the object to determine object metadata for the object; and
      
      where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      process the object metadata to obtain one or more Internet search queries.
  - 13. The non-transitory computer-readable medium of claim 8, where the one or more instructions, that cause the one or more processors to analyze the plurality of Internet search results, cause the one or more processors to:
    - analyze the plurality of Internet search results based on at least one of;
      
      a date of publication associated with the plurality of Internet search results,a quantity of page views associated with the plurality of Internet search results,a ranking associated with the plurality of Internet search results, ora reputation associated with the plurality of Internet search results.
  - 14. The non-transitory computer-readable medium of claim 8, where the predictive model is generated by applying a machine learning algorithm to a known object and known Internet search results associated with the known object;
    - andwhere the one or more instructions, that cause the one or more processors to perform the analysis of the plurality of Internet search results, cause the one or more processors to;
      
      perform the analysis of the plurality of Internet search results based on the predictive model to determine the set of conclusions.

15. A method, comprising:
- intercepting, by a device, an object that is en route, over a network, to a client device;
  
  executing, by the device, the object to determine first object information,the first object information being included in or describing the object;
  
  parsing, by the device, the first object information into a string;
  
  generating, by the device, Internet search queries based on the string;
  
  causing, by the device and based on the Internet search queries, an Internet search to be performed to determine Internet search results;
  
  performing, by the device, analysis of the Internet search results, based on a set of rules, to determine a set of conclusions,the set of rules including a measure of credibility of the Internet search results, andthe set of conclusions including at least one of;
  
  a first conclusion of whether a top Internet search result is a malware web site,a second conclusion of whether a forum post indicates that the object is malware, ora third conclusion of whether a particular Internet search result indicates that the object is malware;
  
  determining, by the device and based on the set of conclusions, whether the object is malicious;
  
  modifying, by the device, a predictive model based on the determination as to whether the object is malicious,the predictive model being used for determining second object information for unknown objects; and
  
  adding, by the device, third object information, describing the object, to a blacklist based on the determination as to whether object is malicious.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising:
    - determining object metadata for the object,the object metadata including information describing the object; and
      
      where causing the Internet search to be performed comprises;
      
      causing the Internet search to be performed based on the object metadata.
  - 17. The method of claim 15, where the predictive model is generated by applying a machine learning algorithm to a known object and known Internet search results associated with the known object;
    - andwhere performing the analysis of the Internet search results comprises;
      
      performing the analysis of the Internet search results based on the predictive model to determine the set of conclusions.
  - 18. The method of claim 15, further comprising:
    - performing a static analysis to determine the first object information,the static analysis determining the first object information without opening or executing the object.
  - 19. The method of claim 15, where the first object information comprises:
    - object content and object metadata for the object,the object content being included in the object, andthe object metadata describing the object; and
      
      where generating the Internet search queries comprises;
      
      generating the Internet search queries based on the object content and based on the object metadata.
  - 20. The method of claim 15, further comprising:
    - dropping the object based on determining that the object is malicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Langton, Jacob Asher, Zhan, Zhenxin, Quinlan, Daniel J., Adams, Kyle
Primary Examiner(s)
Revak, Christopher
Assistant Examiner(s)
Savenkov, Vadim

Application Number

US14/674,122
Publication Number

US 20160294857A1
Time in Patent Office

1,295 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 16/9535   Search customisation based ...

G06F 16/9538   Presentation of query results

H04L 63/14   for detecting or protecting...

H04L 63/1425   Traffic logging, e.g. anoma...

Determining internet-based object information using public internet search

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Determining internet-based object information using public internet search

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links