Method and apparatus for look-ahead security scanning

US 20060101514A1
Filed: 11/01/2005
Published: 05/11/2006
Est. Priority Date: 11/08/2004
Status: Active Grant

First Claim

Patent Images

1. An automated method of analyzing content to determine if the content contains a security threat, the method comprising:

selecting, within a document open on a client computing device, a target link to the content;

loading the content into a safe cache before the content is opened by an application configured to provide access to the content on the client device;

while the content is in the safe cache;

preventing the content from altering the contents of a memory location or storage location external to the safe cache; and

scanning the content for a security threat; and

indicating a result of said scanning before the user selects the link.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for look-ahead security. Within a document (e.g., a web page, a word processing document, a list of electronic mail messages), a link to other content or another document is selected and the content is identified before a user clicks on the link to open the content. The content is placed into a safe cache that prevents the content from adversely affecting the user'"'"'s computing device. The content is scanned and/or its behavior is analyzed to detect any security threats or undesirable content (e.g., viruses, worms, scripts, adware, spyware, pornography). Results of the analysis may be collected at a central server. The link or an associated indicator may be configured to indicate whether a threat is present; more information may be provided as desired. A user may be provided with various options to ignore a threat, disable the link, etc.

304 Citations

41 Claims

1. An automated method of analyzing content to determine if the content contains a security threat, the method comprising:
- selecting, within a document open on a client computing device, a target link to the content;
  
  loading the content into a safe cache before the content is opened by an application configured to provide access to the content on the client device;
  
  while the content is in the safe cache;
  
  preventing the content from altering the contents of a memory location or storage location external to the safe cache; and
  
  scanning the content for a security threat; and
  
  indicating a result of said scanning before the user selects the link.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising:
    - if a security threat is identified in the content;
      
      generating an alert; and
      
      offering one or more selectable actions to initiate in response to the identified security threat.
  - 3. The method of claim 2, further comprising:
    - allowing the application to open the content only if;
      
      no security threat was identified in the content;
      
      or if a security threat was identified in the content, an action selected from the one or more offered actions is an action to allow the content to be accessed despite the identified security threat.
  - 4. The method of claim 1, wherein said selecting comprises:
    - selecting the target link based on an identity of the content.
  - 5. The method of claim 1, wherein said selecting comprises:
    - selecting as target links a subset of all links within the document, including the target link.
  - 6. The method of claim 1, wherein said scanning comprises:
    - if the content contains executable code, executing the code within the safe cache to determine a behavior of the code.
  - 7. The method of claim 1, wherein said indicating comprises:
    - altering an appearance of the target link.
  - 8. The method of claim 1, wherein said indicating comprises:
    - altering an appearance of an indicator associated with the target link.
  - 9. The method of claim 1, wherein the safe cache is located on the client device.
  - 10. The method of claim 1, wherein the safe cache is located on a central server accessible to multiple client computing devices.
  - 11. The method of claim 1, further comprising:
    - notifying a central server of a result of said scanning.
  - 12. The method of claim 11, further comprising, prior to said scanning:
    - querying the central server for a result of a previous scanning of the content.
  - 13. The method of claim 1, wherein a security threat comprises any of the following:
    - a virus;
      
      a worm;
      
      or a trojan horse.
  - 14. The method of claim 1, wherein a security threat comprises any of the following:
    - spyware;
      
      or adware.
  - 15. The method of claim 1, wherein a security threat comprises any of the following:
    - a phishing attack;
      
      a cookie;
      
      or a script.
  - 16. The method of claim 1, wherein the application is a browser.
  - 17. The method of claim 1, wherein the application is a word processing program.
  - 18. The method of claim 1, wherein the application is an instant messaging program.

19. A computer-implemented method of scanning content for a security threat on a central server before the content is opened on a client computing device, the method comprising:
- receiving the content at the central server before a user of the client device selects a link to the content;
  
  storing the content within a safe cache configured to prevent the content from altering any memory location or storage location external to the safe cache;
  
  scanning the content for a security threat; and
  
  notifying the client device of a result of said scanning before the content is opened by an application configured to provide the user access to the content.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The method of claim 19, further comprising:
    - storing said result in a database of identified security threats.
  - 21. The method of claim 20, further comprising, prior to said scanning:
    - consulting the database to determine if a security threat was identified in a previous scan of the content.
  - 22. The method of claim 19, wherein said scanning comprises:
    - if the content contains executable code, executing the code with the safe cache to determine a behavior of the code.
  - 23. The method of claim 19, wherein said notifying comprises:
    - triggering the client device to modify an appearance of the link to the content.
  - 24. The method of claim 19, wherein said notifying comprises:
    - triggering the client device to modify an appearance of an indicator associated with the link to the content.
  - 25. The method of claim 19, wherein said notifying comprises:
    - triggering the client device to present a list of selectable options regarding the content.
  - 26. The method of claim 19, further comprising:
    - from the central server, retrieving other content available from computers linked to the central server;
      
      scanning the other content in the safe cache; and
      
      updating a database to include security threats identified in the other content.
  - 27. The method of claim 26, wherein said retrieving is performed without awaiting the opening, on client computing devices, of documents containing links to the other content.

28. A method of enhanced browsing of a second web page linked to a first web page displayed by a browser in a browser window, with look-ahead security scanning, the method comprising:
- identifying, in the first web page, a target link to the second web page;
  
  prior to a user selection of the target link or an indicator associated with the link, prefetching content from the second web page;
  
  scanning the content for a security threat, within a safe cache configured to prevent the content from altering a memory location or storage location external to the safe cache;
  
  detecting placement of a cursor proximate to the target link or the associated indicator; and
  
  in response to said detecting;
  
  if a security threat was identified with the content, presenting one or more selectable options; and
  
  displaying a second window comprising the prefetched content if no security threat was identified with the content or if the user chooses to ignore an identified security threat.
- View Dependent Claims (29, 30)
- - 29. The method of claim 28, further comprising prior to said displaying a second window:
    - generating but not displaying the second window;
      
      populating the second window with the prefetched content; and
      
      caching the second window.
  - 30. The method of claim 28, wherein:
    - the indicator is configured with a first appearance if no security threat is identified in the content; and
      
      the indicator is configured with a different appearance if a security threat is identified in the content.

31. A computer readable medium storing instructions that, when executed by a computer, cause the computer to perform a method of enhanced browsing of a second web page linked to a first web page displayed by a browser in a browser window, with look-ahead security scanning, the method comprising:
- identifying, in the first web page, a target link to the second web page;
  
  prior to a user selection of the target link or an indicator associated with the link, prefetching content from the second web page;
  
  scanning the content for a security threat, within a safe cache configured to prevent the content from altering a memory location or storage location external to the safe cache;
  
  detecting placement of a cursor proximate to the target link or the associated indicator; and
  
  in response to said detecting;
  
  if a security threat was identified with the content, presenting one or more selectable options; and
  
  displaying a second window comprising the prefetched content if no security threat was identified with the content or if the user chooses to ignore an identified security threat.

32. A client computing device for facilitating look-ahead security scanning of electronic data, the apparatus comprising:
- within a document open on the device, a link to content external to the document;
  
  a prefetcher configured to fetch the content before a user initiates opening the content;
  
  a safe cache configured to store the content without permitting the content to alter a memory location or storage location external to the safe cache;
  
  a scanner configured to scan the content, while the content is stored in the safe cache; and
  
  a notifier configured to notify the user if a security threat is detected within the content.
- View Dependent Claims (33, 34, 35, 36, 37, 38)
- - 33. The client computing device of claim 32, wherein the notifier is further configured to offer the user one or more selectable actions to initiate if a security threat is detected within the content.
  - 34. The client computing device of claim 32, wherein the notifier is further configured to notify a central server external to the client computing device if a security threat is detected within the content.
  - 35. The client computing device of claim 32, further comprising:
    - an indicator configured to indicate a result of the scan of the content.
  - 36. The client computing device of claim 35, further comprising:
    - an enhanced browsing window configured to display the content while the document is open;
      
      wherein the enhanced browsing window is opened if the user selects the indicator.
  - 37. The client computing device of claim 36, wherein said enhanced browsing window is invisible until the user selects the indicator.
  - 38. The client computing device of claim 36, wherein selecting the indicator comprises mousing-over the indicator.

39. A central server for scanning content for a security threat before the content is opened on a client computing device, the central server comprising:
- a safe cache configured to store the content without permitting the content to alter a memory location or storage location external to the safe cache;
  
  a scanner configured to scan the content while the content is stored in the safe cache; and
  
  a database configured to store results of scanning the content;
  
  wherein the content is stored in the safe cache before an application executing on the client computing device attempts to open the content.
- View Dependent Claims (40, 41)
- - 40. The central server of claim 39, further comprising:
    - a crawler configured to visit multiple computers coupled to the central server, to retrieve content for scanning in the safe cache.
  - 41. The central server of claim 39, wherein the central server is requested by a first client device to scan a first set of content when a document containing a link to the first set of content is opened on the first client device;
    - wherein the request is sent from the first client device before a user of the first client device initiates action to open the content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cufer Asset Ltd LLC (Intellectual Ventures LLC)
Original Assignee
BT Web Solutions LLC (Intellectual Ventures LLC)
Inventors
Kelly, James, Brown, Wendell, Milener, Scott

Granted Patent

US 8,037,527 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 16/9574   of access to content, e.g. ...

G06F 16/9577   Optimising the visualizatio...

G06F 21/51   at application loading time...

G06F 21/566   Dynamic detection, i.e. det...

G06Q 20/145   Payments according to the d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 67/5681   Pre-fetching or pre-deliver...

Method and apparatus for look-ahead security scanning

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

304 Citations

41 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for look-ahead security scanning

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

304 Citations

41 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others