Determining internet-based object information using public internet search
First Claim
1. A device, comprising:
- a memory storing instructions; and
one or more processors, communicably connected to the memory, to;
intercept an object that is en route, over a network, to a client device;
execute the object to determine first object information for the object, the first object information including object content and object metadata;
parse the first object information into one or more strings;
cause an Internet search, based on a string of the one or more strings, to be performed to determine Internet search results,the string being provided as one or more Internet search queries for the Internet search;
receive the Internet search results based on causing the Internet search to be performed,the Internet search results being related to the first object information;
perform analysis of the Internet search results, based on a set of rules, to determine a set of conclusions,the set of rules including a measure of credibility of the Internet search results, andthe set of conclusions including at least one of;
a first conclusion of whether a top Internet search result is a malware website,a second conclusion of whether a forum post indicates that the object is malware, ora third conclusion of whether a particular Internet search result indicates that the object is malware;
store or provide the set of conclusions to permit a determination as to whether the object is malicious; and
modify a predictive model based on the determination as to whether the object is malicious,the predictive model being used for determining second object information for unknown objects.
1 Assignment
0 Petitions
Accused Products
Abstract
A device may receive an object. The device may determine object information for the object. The device may cause an internet search, based on the object information, to be performed to determine Internet search results. The object information may be provided as one or more Internet search queries for the Internet search. The device may receive the Internet search results based on causing the Internet search to be performed. The Internet search results may be related to the object information. The device may analyze the Internet search results to determine Internet-based object information. The device may store or provide the Internet-based object information to permit a determination as to whether the object is malicious.
-
Citations
20 Claims
-
1. A device, comprising:
-
a memory storing instructions; and one or more processors, communicably connected to the memory, to; intercept an object that is en route, over a network, to a client device; execute the object to determine first object information for the object, the first object information including object content and object metadata; parse the first object information into one or more strings; cause an Internet search, based on a string of the one or more strings, to be performed to determine Internet search results, the string being provided as one or more Internet search queries for the Internet search; receive the Internet search results based on causing the Internet search to be performed, the Internet search results being related to the first object information; perform analysis of the Internet search results, based on a set of rules, to determine a set of conclusions, the set of rules including a measure of credibility of the Internet search results, and the set of conclusions including at least one of; a first conclusion of whether a top Internet search result is a malware website, a second conclusion of whether a forum post indicates that the object is malware, or a third conclusion of whether a particular Internet search result indicates that the object is malware; store or provide the set of conclusions to permit a determination as to whether the object is malicious; and modify a predictive model based on the determination as to whether the object is malicious, the predictive model being used for determining second object information for unknown objects. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to; intercept an object that is en route, over a network, to a client device, first object content being included in the object; execute the object to determine the first object content for the object; parse the first object content into a string; process the string to generate a plurality of Internet search queries; submit the plurality of Internet search queries to a search engine device; receive, from the search engine device, a plurality of Internet search results based on the plurality of Internet search queries; perform analysis of the plurality of Internet search results, based on a set of rules, to determine a set of conclusions, the set of rules including a measure of credibility of the Internet search results, and the set of conclusions including at least one of; a first conclusion of whether a top Internet search result is a malware web site, a second conclusion of whether a forum post indicates that the object is malware, or a third conclusion of whether a particular Internet search result indicates that the object is malware; store or provide the set of conclusions to permit a determination as to whether the object is malicious; add information, describing the object, to a blacklist based on the determination as to whether object is malicious; and modify a predictive model based on the determination as to whether the object is malicious, the predictive model being used for determining second object content for unknown objects. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A method, comprising:
-
intercepting, by a device, an object that is en route, over a network, to a client device; executing, by the device, the object to determine first object information, the first object information being included in or describing the object; parsing, by the device, the first object information into a string; generating, by the device, Internet search queries based on the string; causing, by the device and based on the Internet search queries, an Internet search to be performed to determine Internet search results; performing, by the device, analysis of the Internet search results, based on a set of rules, to determine a set of conclusions, the set of rules including a measure of credibility of the Internet search results, and the set of conclusions including at least one of; a first conclusion of whether a top Internet search result is a malware web site, a second conclusion of whether a forum post indicates that the object is malware, or a third conclusion of whether a particular Internet search result indicates that the object is malware; determining, by the device and based on the set of conclusions, whether the object is malicious; modifying, by the device, a predictive model based on the determination as to whether the object is malicious, the predictive model being used for determining second object information for unknown objects; and adding, by the device, third object information, describing the object, to a blacklist based on the determination as to whether object is malicious. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification