Cooperative identification of malicious remote objects
First Claim
1. A computer-implemented method of cooperative identification of potentially malicious remote objects, comprising:
- in response to detection of client device access to an instance of a remote object;
identifying a location associated with the instance of the remote object;
creating a unique content identification value for content associated with the instance of the remote object;
identifying content identification values associated with previous object instances of the remote object associated with the location;
comparing the created unique content identification value for the instance of the remote object to the identified content identification values to determine whether the created content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object;
in response to determining that the created unique content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object, analyzing the identified content identification values seeking to identify a legitimate reason why the created unique content identification value does not match at least one of the identified content identification values associated with the previous object instances of the remote object, the legitimate reason indicating that the instance of the remote object is not malicious due to the location returning unique content to each of a plurality of different geographical regions; and
in response to identifying no legitimate reason why the created unique identification value does not match at least one of the identified content identification values associated with the previous object instance of the remote object, labeling the instance of the remote object as potentially malicious.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer, computer program product, and method identify potentially malicious remote objects using client cooperation. A remote object access module detects client device access of a remote object instance, and an object analysis system identifies an associated location, creates a content identification value for the instance, compares it to stored content identification values for previous instances, and if anomalous, analyzes the stored content identification values to determine whether malicious. The remote object access module monitors actual traffic received by the client, and stores the information across multiple clients for comparison, allowing more accurate detection of malicious remote objects than traditional web crawling.
35 Citations
20 Claims
-
1. A computer-implemented method of cooperative identification of potentially malicious remote objects, comprising:
in response to detection of client device access to an instance of a remote object; identifying a location associated with the instance of the remote object; creating a unique content identification value for content associated with the instance of the remote object; identifying content identification values associated with previous object instances of the remote object associated with the location; comparing the created unique content identification value for the instance of the remote object to the identified content identification values to determine whether the created content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object; in response to determining that the created unique content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object, analyzing the identified content identification values seeking to identify a legitimate reason why the created unique content identification value does not match at least one of the identified content identification values associated with the previous object instances of the remote object, the legitimate reason indicating that the instance of the remote object is not malicious due to the location returning unique content to each of a plurality of different geographical regions; and in response to identifying no legitimate reason why the created unique identification value does not match at least one of the identified content identification values associated with the previous object instance of the remote object, labeling the instance of the remote object as potentially malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
9. A non-transitory computer-readable storage medium having computer program instructions embodied therein for cooperative identification of potentially malicious remote objects, the instructions when executed performs steps comprising:
-
detecting client device access to an instance of a remote object; identifying a location associated with the instance of the remote object; creating a unique content identification value for content associated with the instance of the remote object; identifying content identification values associated with previous object instances of the remote object associated with the location; comparing the created unique content identification value for the instance of the remote object to the identified content identification values to determine whether the created content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object; in response to determining that the created unique content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object, analyzing the identified content identification values seeking to identify a legitimate reason why the created unique content identification value does not match at least one of the identified content identification values associated with the previous object instances of the remote object, the legitimate reason indicating that the instance of the remote object is not malicious due to the location returning unique content to each of a plurality of different geographical regions; and in response to identifying no legitimate reason why the created unique identification value does not match at least one of the identified content identification values associated with the previous object instance of the remote object, labeling the instance of the remote object as potentially malicious. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer system configured for cooperative identification of potentially malicious remote objects, the system comprising:
-
a computer processor; a computer-readable storage medium storing executable code, the code when executed by the computer processor perform steps comprising; identifying a location associated with an instance of a remote object; creating a unique content identification value for content associated with the instance of the remote object; identifying content identification values associated with previous object instances of the remote object associated with the location; comparing the created unique content identification value for the instance of the remote object to the identified content identification values to determine whether the created content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object; in response to determining that the created unique content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object, analyzing the identified content identification values seeking to identify a legitimate reason why the created unique content identification value does not match at least one of the identified content identification values associated with the previous object instances of the remote object, the legitimate reason indicating that the instance of the remote object is not malicious due to the location returning unique content to each of a plurality of different geographical regions; and in response to identifying no legitimate reason why the created unique identification value does not match at least one of the identified content identification values associated with the previous object instance of the remote object, labeling the instance of the remote object as potentially malicious. - View Dependent Claims (18, 19, 20)
-
Specification