METHOD AND APPARATUS FOR PROACTIVELY IDENTIFYING AND MITIGATING MALWARE ATTACKS VIA HOSTED WEB ASSETS

US 20170344743A1
Filed: 05/19/2017
Published: 11/30/2017
Est. Priority Date: 05/26/2016
Status: Active Grant

First Claim

Patent Images

1. A system to support identification and mitigation of malware attack via hosted Web assets, comprising:

a Web asset assessment engine running on a host and configured toinitiate an assessment of one or more Web assets hosted by a target Web application or site protected by a Web application security device;

download the Web assets to be assessed in their native forms from the target Web application or site for assessment;

a threat detection engine running on a host and configured to accept and evaluate each of the Web assets downloaded from the target Web application or site for risk of malicious contents by generating a risk score for the Web asset, wherein each Web asset is evaluated based either on its fingerprint or its original file format;

a protection policy application engine running on a host and configured to create and correlate a plurality of policies with a set of identified malicious Web assets to mitigate threats of the Web assets hosted on the target Web application or site.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A new approach is proposed that contemplates systems and methods to provide identification and mitigation of malware attack via Web assets hosted on a Web application, site, or platform in an automated and proactive manner. From the moment the Web assets are hosted on the Web application platform and protected by a Web application security device, the hosted Web assets are constantly monitored and assessed for potential risks. Whenever there is a new instance or a modification of a Web asset, a copy of the Web asset is automatically downloaded and analyzed for potential vulnerabilities. If a suspicious indicator of malicious contents in the Web asset is detected during the analysis, a plurality of security policies are created and applied to the Web application security device to mitigate threats of the Web asset and protect users of the Web application against malware attacks via the tampered Web asset.

142 Citations

29 Claims

1. A system to support identification and mitigation of malware attack via hosted Web assets, comprising:
- a Web asset assessment engine running on a host and configured toinitiate an assessment of one or more Web assets hosted by a target Web application or site protected by a Web application security device;
  
  download the Web assets to be assessed in their native forms from the target Web application or site for assessment;
  
  a threat detection engine running on a host and configured to accept and evaluate each of the Web assets downloaded from the target Web application or site for risk of malicious contents by generating a risk score for the Web asset, wherein each Web asset is evaluated based either on its fingerprint or its original file format;
  
  a protection policy application engine running on a host and configured to create and correlate a plurality of policies with a set of identified malicious Web assets to mitigate threats of the Web assets hosted on the target Web application or site.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, wherein:
    - each of the Web asset is one of a URL, a document object and an executable program.
  - 3. The system of claim 1, wherein:
    - the Web application security device is a Web application firewall configured to protect the Web assets hosted by the target Web application or site.
  - 4. The system of claim 1, wherein:
    - the Web asset assessment engine is configured to utilize its web-client capabilities to establish a communication channel with the target Web application or site, wherein the communication channel reaches the target Web application or site either internally through a private network protected by the Web application security device or externally through the Web application security device.
  - 5. The system of claim 1, wherein:
    - the Web asset assessment engine is configured to scan through the Web assets to track newly hosted Web assets and changes to the existing Web assets to incrementally pick only those Web assets that are new or have changed since the last scan for assessment.
  - 6. The system of claim 5, wherein:
    - the Web asset assessment engine is event-driven, which initiates the assessment when the new Web asset is hosted on the target Web application or an existing Web asset has been modified.
  - 7. The system of claim 1, wherein:
    - the Web asset assessment engine is timer-based, which periodically checks the target Web application or site for any newly hosted Web asset since the last check and initiates the assessment if any newly hosted Web asset is found.
  - 8. The system of claim 1, wherein:
    - the Web asset assessment engine is configured to mark each Web asset to be assessed with contextual meta-data to indicate a path to the Web asset on the target Web application or site for retrieval.
  - 9. The system of claim 1, wherein:
    - the Web asset assessment engine is configured to download all of the Web assets to be assessed in a batch to reduce communication overhead between the Web asset assessment engine and the target Web application or site.
  - 10. The system of claim 1, wherein:
    - the threat detection engine is configured to perform qualitative and/or quantitative data analysis on the Web asset to determine if the Web asset has been tampered with the malicious contents.
  - 11. The system of claim 1, wherein:
    - the threat detection engine is configured to communicate with the Web asset assessment engine synchronously wherein each Web asset is evaluated as soon as it is downloaded from the target Web application or site.
  - 12. The system of claim 1, wherein:
    - the threat detection engine is configured to communicate with the Web asset assessment engine asynchronously wherein each downloaded Web asset is first saved and maintained before it is evaluated at a later time.
  - 13. The system of claim 12, wherein:
    - the threat detection engine is configured to provide the risk score of the Web asset back to the Web asset assessment engine to be synchronized with the corresponding Web asset it maintains.
  - 14. The system of claim 1, wherein:
    - the protection policy application engine is configured to insert the policies to the Web application security device to prevent access to, block or remove the malicious Web assets from the target Web application or site to protect users of applications and other hosted Web assets of the target Web application or site or a client system having downloaded the Web asset from the target Web application or site.
  - 15. The system of claim 1, further comprising:
    - a threat summary and reporting engine running on a host and configured to generate a report that summarizes threat posed by the Web assets based on the risk scores that have been generated for the Web assets.
  - 16. The system of claim 15, wherein:
    - the protection policy application engine is configured to provide the report, upon request, to a user/system administrator of the target Web application or site as part of a warning message that the Web asset hosted on the target Web application or site has been tampered and may affect other hosted Web assets and/or applications of the target Web application or site or a client system having downloaded the Web asset from the target Web application or site.

17. A computer-implemented method to support identification and mitigation of malware attack via hosted Web assets, comprising:
- initiating an assessment of one or more Web assets hosted by a target Web application or site protected by a Web application security device;
  
  downloading the Web assets to be assessed in their native forms from the target Web application or site for assessment;
  
  accepting and evaluating each of the Web assets downloaded from the target Web application or site for risk of malicious contents by generating a risk score for the Web asset, wherein each Web asset is evaluated based either on its fingerprint or its original file format;
  
  creating and correlating a plurality of policies with a set of identified malicious Web assets to mitigate threats of the malicious Web assets hosted on the target Web application or site.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 18. The method of claim 17, further comprising:
    - establishing a communication channel with the target Web application or site, wherein the communication channel reaches the target Web application or site either internally through a private network protected by the Web application security device or externally through the Web application security device.
  - 19. The method of claim 17, further comprising:
    - scanning through the Web assets to track newly hosted Web assets and changes to the existing Web assets to incrementally pick only those Web assets that are new or have changed since the last scan for assessment.
  - 20. The method of claim 17, further comprising:
    - periodically checking the target Web application or site for any newly hosted Web asset since the last check and initiating the assessment if any newly hosted Web asset is found.
  - 21. The method of claim 17, further comprising:
    - marking each Web asset to be assessed with contextual meta-data to indicate a path to the Web asset on the target Web application or site for retrieval.
  - 22. The method of claim 17, further comprising:
    - downloading all of the Web assets to be assessed in a batch to reduce communication overhead between the Web asset assessment engine and the target Web application or site.
  - 23. The method of claim 17, further comprising:
    - performing qualitative and/or quantitative data analysis on the Web asset to determine if the Web asset has been tampered with the malicious contents.
  - 24. The method of claim 17, further comprising:
    - communicating with the Web asset assessment engine synchronously wherein each Web asset is evaluated as soon as it is downloaded from the target Web application or site.
  - 25. The method of claim 17, further comprising:
    - communicating with the Web asset assessment engine asynchronously wherein each downloaded Web asset is first saved and maintained before it is evaluated at a later time;
      
      providing the risk score of the Web asset back to the Web asset assessment engine to be synchronized with the corresponding Web asset it maintains.
  - 26. The method of claim 17, further comprising:
    - inserting the policies to the Web application security device to prevent access to, block or remove the malicious Web assets from the target Web application or site to protect users of applications and other hosted Web assets of the target Web application or site or a client system having downloaded the Web asset from the target Web application or site.
  - 27. The method of claim 17, further comprising:
    - generating a report that summarizes threat posed by the Web assets based on the risk scores that have been generated for the Web assets.
  - 28. The method of claim 27, further comprising:
    - providing the report, upon request, to a user/system administrator of the target Web application or site as part of a warning message that the Web asset hosted on the target Web application or site has been tampered and may affect other hosted Web assets and/or applications of the target Web application or site or a client system having downloaded the Web asset from the target Web application or site.

29. At least one computer-readable storage medium having computer-executable instructions embodied thereon, wherein, when executed by at least one processor, the computer-executable instructions cause the at least one processor to:
- initiate an assessment of one or more Web assets hosted by a target Web application or site protected by a Web application security device;
  
  download the Web assets to be assessed in their native forms from the target Web application or site for assessment;
  
  accept and evaluate each of the Web assets downloaded from the target Web application or site for risk of malicious contents by generating a risk score for the Web asset, wherein each Web asset is evaluated based either on its fingerprint or its original file format;
  
  create and correlate a plurality of policies with a set of identified malicious Web assets to mitigate threats of the malicious Web assets hosted on the target Web application or site.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Networks Incorporated
Inventors
SHI, Fleming M., MIRON, Nitzan

Granted Patent

US 10,860,715 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

METHOD AND APPARATUS FOR PROACTIVELY IDENTIFYING AND MITIGATING MALWARE ATTACKS VIA HOSTED WEB ASSETS

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

142 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR PROACTIVELY IDENTIFYING AND MITIGATING MALWARE ATTACKS VIA HOSTED WEB ASSETS

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links