SYSTEMS AND METHODS FOR RISK RATING AND PRO-ACTIVELY DETECTING MALICIOUS ONLINE ADS

US 20110219448A1
Filed: 03/04/2010
Published: 09/08/2011
Est. Priority Date: 03/04/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving a web page including a SWF file, wherein the SWF file originates from a different server than the web page;

extracting, using a processor, the SWF file from the web page;

analyzing the SWF file, using the processor, to determine a risk rating for the SWF file, wherein analyzing includes locating an embedded redirection uniform resource locator (URL) and determining a risk rating for the embedded redirection URL;

displaying, within the web page, the risk rating for the SWF file; and

determining, based on the risk rating, whether to filter the SWF file.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for risk rating and pro-actively detecting malicious online ads are described. In one example embodiment, a system for risk rating and pro-actively detecting malicious online ads includes an extraction module, an analysis engine, and a filter module. The extraction module is configured to extract a SWF file from a web page downloaded by the system. The analysis engine is communicatively coupled to the extraction module. The analysis engine is configured to determine a risk rating for the SWF file and send the risk rating to a web application for display. In an example, determining the risk rating includes locating an embedded redirection URL and determining a risk rating for the embedded redirection URL. The filter module is configured to determine, based on the risk rating, whether to block the SWF file and send a warning to the web application for display.

Citations

24 Claims

1. A computer-implemented method comprising:
- receiving a web page including a SWF file, wherein the SWF file originates from a different server than the web page;
  
  extracting, using a processor, the SWF file from the web page;
  
  analyzing the SWF file, using the processor, to determine a risk rating for the SWF file, wherein analyzing includes locating an embedded redirection uniform resource locator (URL) and determining a risk rating for the embedded redirection URL;
  
  displaying, within the web page, the risk rating for the SWF file; and
  
  determining, based on the risk rating, whether to filter the SWF file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, wherein analyzing the SWF file includes analyzing the behavior of the SWF file within a segregated execution sandbox.
  - 3. The computer-implemented method of claim 2, wherein analyzing the behavior of the SWF file includes processing the embedded URL within the segregated execution sandbox and evaluating the results of following the embedded redirection URL.
  - 4. The computer-implemented method of claim 2, wherein analyzing the behavior of the SWF file includes scanning for shellcode within the SWF file.
  - 5. The computer-implemented method of claim 2, wherein analyzing the behavior of the SWF file includes scanning for the presence of a malformed tag.
  - 6. The computer-implemented method of claim 2, wherein analyzing the behavior of the SWF file includes scanning for the presence of a malicious script within the SWF file.
  - 7. The computer-implemented method of claim 1, wherein analyzing the SWF file includes scanning action tags for functions including, ActionGetURL( ), loadMovie( ), and navigateToURL( ).
  - 8. The computer-implemented method of claim 1, wherein determining the risk rating includes generating a new risk rating based on at least one of:
    - one or more redirection URLs contained within the SWF file;
      
      a presence of shellcode within the SWF file;
      
      a malformed tag within the SWF file;
      
      ora malicious script within the SWF file.
  - 9. The computer-implemented method of claim 8, wherein determining the risk rating includes updating an online database with the new risk rating.
  - 10. The computer-implemented method of claim 1, wherein analyzing the SWF file includes accessing a risk rating database as at least part of determining the risk rating for the SWF file.
  - 11. The computer-implemented method of claim 10, wherein accessing a risk rating database includes locating within the risk rating database a risk rating related to at least one of:
    - the embedded redirection URL;
      
      a segment of shellcode within the SWF file;
      
      a malformed tag within the SWF file;
      
      a malicious script within the SWF file;
      
      ora hash of the SWF file

12. A system comprising:
- an extraction module to extract a SWF file from a web page requested by a web browser communicatively coupled to the extraction module;
  
  an analysis engine communicatively coupled to the extraction module and configured to;
  
  determine a risk rating for the SWF file; and
  
  send the risk rating to the web browser for display within the web page;
  
  wherein determining the risk rating includes,locating an embedded redirection uniform resource locator (URL), anddetermining a risk rating for the embedded redirection URL; and
  
  a filter module to determine, based on the risk rating, whether to filter the SWF file and to send a warning to the browser for display within the web page.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The system of claim 12, wherein the analysis engine is configured to analyze the behavior of the SWF file within a segregated execution sandbox.
  - 14. The system of claim 13, further including an analysis server configured to:
    - host the segregated execution sandbox;
      
      receive the SWF file from the analysis engine;
      
      analyze the behavior of the SWF file; and
      
      communicate at least the risk rating back to the analysis engine.
  - 15. The system of claim 13, wherein the analysis engine is configured to identify a list of redirection URLs within the SWF file.
  - 16. The system of claim 13, wherein the analysis engine is configured to scan the SWF for shellcode.
  - 17. The system of claim 13, wherein the analysis engine is configured to scan the SWF file for malformed tags.
  - 18. The system of claim 13, wherein the analysis engine is configured to scan the SWF for malicious scripts.
  - 19. The system of claim 12, wherein the analysis engine is configured to scan the SWF file for action tags representing potentially suspect functions in determining the risk rating for the SWF file, the suspect functions including, ActionGetURL( ), loadMovie( ), and navigateToURL( ).
  - 20. The system of claim 12, wherein the analysis engine includes a risk rating module configured to generate a new risk rating based on at least one of:
    - a redirection URL contained within the SWF file;
      
      a segment of shellcode within the SWF file;
      
      a malformed tag within the SWF file;
      
      ora malicious script within the SWF file.
  - 21. The system of claim 20, wherein the risk rating module is communicatively coupled to an online risk database and updates the online risk database with the new risk rating associated with the SWF file.

22. A system comprising:
- a gateway server communicatively coupled to the Internet and an internal network, the gateway server including;
  
  an extraction module to extract a SWF file from a web page requested by a client on the internal network;
  
  an analysis engine to analyze the SWF file in order to locate an embedded redirection uniform resource locator (URL), wherein the SWF file originates from a different server than the requested web page;
  
  a risk rating module to determine a risk rating for the embedded redirection URL; and
  
  a filter module to determine, based on the risk rating, whether to filter the SWF file and send a warning and the risk rating within the web page requested by the client.

23. A system comprising:
- a client computer communicatively coupled to a network and running a web browser;
  
  an extraction module, running in conjunction to the web browser, to extract a SWF file from a web page accessed by the web browser;
  
  an analysis engine communicatively coupled to the extraction module and configured to;
  
  determine a risk rating for the SWF file; and
  
  send the risk rating to the web browser for display within the web page;
  
  wherein determining the risk rating includes,locating an embedded redirection uniform resource locator (URL), and determining a risk rating for the embedded redirection URL; and
  
  a filter module to block, based on the risk rating, the SWF file and to send a warning for display within the web page.

24. An article of manufacture including a machine-readable medium containing instructions that when executed on a computer system cause the computer system to perform a method, the method comprising:
- receiving a web page including a SWF file, the SWF file originating from a different server than the web page;
  
  extracting the SWF file from the web page;
  
  analyzing the SWF file to determine a risk rating for the SWF file, wherein analyzing includes locating an embedded redirection uniform resource locator (URL) and determining a risk rating for the embedded redirection URL;
  
  displaying, within the web page, the risk rating for the SWF file; and
  
  determining, based on the risk rating, whether to filter the SWF file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Mohandas, Rahul, Sreedharan, Jayesh

Granted Patent

US 8,813,232 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2119   Authenticating web pages, e...

G06F 3/14   Digital output to display d...

G06Q 30/0277   Online advertisement

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

SYSTEMS AND METHODS FOR RISK RATING AND PRO-ACTIVELY DETECTING MALICIOUS ONLINE ADS

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR RISK RATING AND PRO-ACTIVELY DETECTING MALICIOUS ONLINE ADS

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links