Method and apparatus for look-ahead security scanning

US 8,037,527 B2
Filed: 11/01/2005
Issued: 10/11/2011
Est. Priority Date: 11/08/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of analyzing content for a security threat, the method comprising:

identifying on a client computing device a target link to the content, wherein the target link is identified from one or more links to content that are contained within an open document on the client computing device, wherein the one or more links are prioritized by the client computing device to determine a prefetching order according to criteria specified by a user of the client computing device, and wherein the target link is identified and prioritized before a request for the content is sent from the client computing device to a computing device that stores the content;

loading the content into a safe cache on the client computing device, according to the prefetching order and before receiving a user selection of the target link and the content is opened by an application configured to provide access to the content on the client computing device;

while the content is in the safe cache;

preventing the content from altering a memory location or storage location external to the safe cache; and

scanning the content on the client computing device for a security threat; and

before receiving the user selection of the target link, displaying an indicator to indicate whether a security threat was detected within the content.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for look-ahead security. Within a document (e.g., a web page, a word processing document, a list of electronic mail messages), a link to other content or another document is selected and the content is identified before a user clicks on the link to open the content. The content is placed into a safe cache that prevents the content from adversely affecting the user'"'"'s computing device. The content is scanned and/or its behavior is analyzed to detect any security threats or undesirable content (e.g., viruses, worms, scripts, adware, spyware, pornography). Results of the analysis may be collected at a central server. The link or an associated indicator may be configured to indicate whether a threat is present; more information may be provided as desired. A user may be provided with various options to ignore a threat, disable the link, etc.

Citations

37 Claims

1. A computer-implemented method of analyzing content for a security threat, the method comprising:
- identifying on a client computing device a target link to the content, wherein the target link is identified from one or more links to content that are contained within an open document on the client computing device, wherein the one or more links are prioritized by the client computing device to determine a prefetching order according to criteria specified by a user of the client computing device, and wherein the target link is identified and prioritized before a request for the content is sent from the client computing device to a computing device that stores the content;
  
  loading the content into a safe cache on the client computing device, according to the prefetching order and before receiving a user selection of the target link and the content is opened by an application configured to provide access to the content on the client computing device;
  
  while the content is in the safe cache;
  
  preventing the content from altering a memory location or storage location external to the safe cache; and
  
  scanning the content on the client computing device for a security threat; and
  
  before receiving the user selection of the target link, displaying an indicator to indicate whether a security threat was detected within the content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising:
    - if a security threat is detected in the content;
      
      generating an alert; and
      
      offering one or more selectable actions to initiate in response to the detected security threat.
  - 3. The method of claim 2, further comprising:
    - allowing the application to open the content only if;
      
      no security threat was detected in the content;
      
      orif a security threat was detected in the content, an action selected from the one or more selectable actions is an action to allow the content to be accessed despite the detected security threat.
  - 4. The method of claim 1, wherein said identifying comprises identifying the target link based on an identity of the content.
  - 5. The method of claim 1, wherein said identifying comprises identifying as target links a subset of all links within the document, including the target link.
  - 6. The method of claim 1, wherein said scanning comprises, if the content contains executable code, executing the code within the safe cache to determine a behavior of the code.
  - 7. The method of claim 1, wherein said displaying an indicator comprises altering an appearance of the target link.
  - 8. The method of claim 1, wherein said displaying an indicator comprises altering an appearance of an indicator associated with the target link.
  - 9. The method of claim 1, wherein the safe cache is located on the client computing device.
  - 10. The method of claim 1, wherein the safe cache is located on a central server accessible to multiple client computing devices.
  - 11. The method of claim 1, further comprising notifying a central server of a result of said scanning.
  - 12. The method of claim 11, further comprising, prior to said scanning, querying the central server for a result of a previous scanning of the content.
  - 13. The method of claim 1, wherein a security threat comprises any of the following:
    - a virus;
      
      a worm;
      
      ora trojan horse.
  - 14. The method of claim 1, wherein a security threat comprises any of the following:
    - spyware;
      
      oradware.
  - 15. The method of claim 1, wherein a security threat comprises any of the following:
    - a phishing attack;
      
      a cookie;
      
      ora script.
  - 16. The method of claim 1, wherein the application is a browser.
  - 17. The method of claim 1, wherein the application is a word processing program.
  - 18. The method of claim 1, wherein the application is an instant messaging program.

19. A computer-implemented method of scanning content for a security threat before the content is opened on a client computing device, the method comprising:
- receiving at a central server a request to fetch content from a plurality of links to content, the plurality of links displayed within a document open on a client computing device in communication with the central server and including a link to the content, wherein the request specifies a prioritization order of the plurality of links determined by the client computing device according to criteria specified by a user of the client computing device;
  
  requesting by the central server the content from a content server, according to the prioritization order;
  
  receiving the content at the central server before the client computing device receives a user selection of the link to the content;
  
  storing the content within a safe cache configured to prevent the content from altering any memory location or storage location external to the safe cache;
  
  scanning the content for a security threat; and
  
  triggering the client computing device to alter the display of the link to the content to indicate a result of said scanning, wherein the display of the link is altered before the content is opened by an application configured to provide user access to the content.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The method of claim 19, further comprising storing said result in a database of identified security threats.
  - 21. The method of claim 20, further comprising, prior to said scanning, consulting the database to determine if a security threat was identified in a previous scan of the content.
  - 22. The method of claim 19, wherein said scanning comprises, if the content contains executable code, executing the code within the safe cache to determine a behavior of the code.
  - 23. The method of claim 19, wherein said triggering comprises triggering the client computing device to modify an appearance of the link to the content.
  - 24. The method of claim 19, wherein said triggering comprises triggering the client computing device to modify an appearance of an indicator associated with the link to the content.
  - 25. The method of claim 19, wherein said triggering comprises triggering the client computing device to present a list of selectable options regarding the content.
  - 26. The method of claim 19, further comprising:
    - from the central server, retrieving other content available from computers linked to the central server;
      
      scanning the other content in the safe cache; and
      
      updating a database to include security threats identified in the other content.
  - 27. The method of claim 26, wherein said retrieving is performed without awaiting the opening, on client computing devices, of documents containing links to the other content.

28. A client computing device for facilitating look-ahead security scanning of electronic data, the client computing device comprising:
- an application configured to display a document open on the client computing device and to include within the display of the document a link to content external to the document, the link being one of a plurality of links displayed in the document, the application prioritizing the plurality of links to determine a prefetching order, the prioritizing the plurality of links according to criteria specified by a user of the client computing device;
  
  a prefetcher configured to fetch the content to the client computing device, according to the prefetching order, before a user initiates opening the content;
  
  a safe cache configured to store the content without permitting the content to alter a memory location or storage location external to the safe cache;
  
  a scanner configured to scan the content, while the content is stored in the safe cache; and
  
  a notifier configured to alter display of the link to notify the user if a security threat is detected within the content.
- View Dependent Claims (29, 30, 31, 32, 33, 34)
- - 29. The client computing device of claim 28, wherein the notifier is further configured to offer the user one or more selectable actions to initiate if a security threat is detected within the content.
  - 30. The client computing device of claim 28, wherein the notifier is further configured to notify a central server external to the client computing device if a security threat is detected within the content.
  - 31. The client computing device of claim 28, further comprising an indicator configured to indicate a result of the scan of the content.
  - 32. The client computing device of claim 31, further comprising an enhanced browsing window configured to display the content while the document is open, wherein the enhanced browsing window is opened if the user selects the indicator.
  - 33. The client computing device of claim 32, wherein said enhanced browsing window is invisible until the user selects the indicator.
  - 34. The client computing device of claim 32, wherein selecting the indicator comprises mousing-over the indicator.

35. A system for scanning content for a security threat at a central server before the content is opened on a client computing device, the central server comprising:
- an application configured to display a document on the client computing device and to include within the display of the document a link to content external to the document, the link being one of a plurality of links, the application prioritizing the plurality of links to determine a prefetching order, the prioritizing according to criteria specified by a user of the client computing device;
  
  a prefetcher configured to fetch to the client computing device the content of the link, according to the prefetching order, before a user initiates opening the content;
  
  a safe cache at the central server to store the content without permitting the content to alter a memory location or storage location external to the safe cache, wherein the content is stored in the safe cache before an application executing on the client computing device attempts to open the content;
  
  a scanner to scan the content while the content is stored in the safe cache;
  
  a database to store results of scanning the content; and
  
  a reporting module to trigger the client computing device to alter the display of the link to indicate a result of said scanning, wherein the display of the link is altered before the content is opened in an application on the client computing device.
- View Dependent Claims (36, 37)
- - 36. The central server of claim 35, further comprising:
    - a crawler configured to visit multiple computers coupled to the central server, to retrieve content for scanning in the safe cache.
  - 37. The central server of claim 35, wherein the central server is configured to receive a request from the client computing device to scan a first set of content when a document containing a link to the first set of content is opened on the client computing device;
    - wherein the request is sent from the client computing device before a user of the client computing device initiates action to open the first set of content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cufer Asset Ltd LLC (Intellectual Ventures LLC)
Original Assignee
BT Web Solutions LLC (Intellectual Ventures LLC)
Inventors
Kelly, James, Milener, Scott, Brown, Wendell
Primary Examiner(s)
Song; Hosuk
Assistant Examiner(s)
TO, BAOTRAN N

Application Number

US11/264,418
Publication Number

US 20060101514A1
Time in Patent Office

2,170 Days
Field of Search

726 22- 25, 713/188, 709/224, 715/738, 715/804, 715/805, 715/822
US Class Current

726/22
CPC Class Codes

G06F 16/9574   of access to content, e.g. ...

G06F 16/9577   Optimising the visualizatio...

G06F 21/51   at application loading time...

G06F 21/566   Dynamic detection, i.e. det...

G06Q 20/145   Payments according to the d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 67/5681   Pre-fetching or pre-deliver...

Method and apparatus for look-ahead security scanning

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for look-ahead security scanning

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links