Referrer context identification for remote object links

US 8,479,284 B1
Filed: 12/20/2007
Issued: 07/02/2013
Est. Priority Date: 12/20/2007
Status: Active Grant

First Claim

Patent Images

1. A method of identifying referrer context information for links to remote objects, comprising:

monitoring network traffic received at a client device in a plurality of different protocols;

identifying in the network traffic links to remote objects, the links received via the plurality of different protocols;

identifying, using pattern matching, referrer context information within the monitored network traffic that is associated with the links to the remote objects, wherein types of referrer context information are specific to the protocols in which the links to the remote objects were received, different types of referrer context information are identified for links to remote objects received via different protocols, and the referrer context information comprises information allowing ascertainment of referrers that provided the network traffic containing the links to the remote objects to the client device;

storing the links to the remote objects and the associated referrer context information; and

responsive to receiving a request for a source of a remote object triggered by detection of malicious code associated with the remote object, looking up stored referrer context information associated with a link to the remote object.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer, computer program product, and method identify referrer context information associated with a remote object link. A network inspection module monitors network traffic and a remote object link identification module identifies remote links and their associated referrer context information. A link storage module stores the referrer context information along with the associated link. A look up module looks up the referrer context information in response to a request for a source of a link. The referrer context information is an important security resource in identifying the true source of a threat, and in avoiding future attacks. In addition, it allows for a more complete picture of how a link moves from one client to another by tracking how the link was sent and received.

54 Citations

View as Search Results

11 Claims

1. A method of identifying referrer context information for links to remote objects, comprising:
- monitoring network traffic received at a client device in a plurality of different protocols;
  
  identifying in the network traffic links to remote objects, the links received via the plurality of different protocols;
  
  identifying, using pattern matching, referrer context information within the monitored network traffic that is associated with the links to the remote objects, wherein types of referrer context information are specific to the protocols in which the links to the remote objects were received, different types of referrer context information are identified for links to remote objects received via different protocols, and the referrer context information comprises information allowing ascertainment of referrers that provided the network traffic containing the links to the remote objects to the client device;
  
  storing the links to the remote objects and the associated referrer context information; and
  
  responsive to receiving a request for a source of a remote object triggered by detection of malicious code associated with the remote object, looking up stored referrer context information associated with a link to the remote object.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the information allowing ascertainment of referrers that provided the network traffic containing the links to the remote objects to the client device comprises a user identification for a referrer of a link.
  - 3. The method of claim 1, further comprising:
    - monitoring network traffic transmitted from the client device in the plurality of different protocols;
      
      identifying in the network traffic transmitted in the plurality of different protocols links to remote objects;
      
      wherein identifying referrer context information further comprises identifying transmission context information associated with transmission of the links to the remote objects from the client device.
  - 4. The method of claim 3, further comprising in response to the request for the source of the remote object, looking up stored transmission context information associated with a transmission of the link to the remote object from the client device.
  - 5. The method of claim 1, wherein a protocol in which network traffic is received at the client device results in a file being stored at the client device, wherein the referrer context information for the file is stored in an alternate file stream or as attributes associated with the file, and wherein different types of referrer context information are stored for network traffic received via different protocols.

6. A non-transitory computer-readable storage medium having computer program instructions embodied therein for identifying referrer context information for links to remote objects, comprising:
- a network inspection module configured to monitor network traffic received at a client device in a plurality of different protocols;
  
  a remote object link identification module configured to identify in the network traffic links to remote objects, the links received via the plurality of different protocols, and to identify, using pattern matching, referrer context information within the monitored network traffic that is associated with the links to the remote objects, wherein types of referrer context information are specific to the protocols in which the links to the remote objects were received, different types of referrer context information are identified for links to remote objects received via different protocols, and the referrer context information comprises information allowing ascertainment of referrers that provided the network traffic containing the links to the remote objects to the client device;
  
  a link storage module configured to store the links to the remote objects and the associated referrer context information; and
  
  a look up module configured to look up stored referrer context information associated with a link to a remote object in response to receiving a request for a source of the remote object triggered by detection of malicious code associated with the remote object.
- View Dependent Claims (7, 8)
- - 7. The computer-readable storage medium of claim 6, wherein the information allowing ascertainment of referrers that provided the network traffic containing the links to the remote objects to the client device comprises a user identification for a referrer of a link.
  - 8. The computer-readable storage medium of claim 6, wherein:
    - the network inspection module is further configured to monitor network traffic transmitted from the client device in the plurality of different protocols; and
      
      the remote object link identification module is further configured to identify in the network traffic transmitted via the plurality of different protocols links to remote objects and to identify referrer context information associated with the links to the remote objects and specific to the protocol in which the links to the remote objects were transmitted from the client device.

9. A computer adapted to identify referrer context information for links to remote objects, comprising:
- a processor for executing computer program modules; and
  
  a non-transitory computer-readable storage medium storing executable computer program modules comprising;
  
  a network inspection module configured to monitor network traffic received at a client device in a plurality of different protocols;
  
  a remote object link identification module configured to identify in the network traffic links to remote objects, the links received via the plurality of different protocols, and to identify, using pattern matching, referrer context information within the monitored network traffic that is associated with the links to the remote objects, wherein types of referrer context information are specific to the protocols in which the links to the remote objects were received, different types of referrer context information are identified for links to remote objects received via different protocols, and the referrer context information comprises information allowing ascertainment of referrers that provided the network traffic containing the links to the remote objects to the client device;
  
  a link storage module configured to store the links to the remote objects and the associated referrer context information; and
  
  a look up module configured to look up stored referrer context information associated with a link to a remote object in response to receiving a request for a source of the remote object triggered by detection of malicious code associated with the remote object.
- View Dependent Claims (10, 11)
- - 10. The computer of claim 9, wherein the referrer context information comprises a user identification for a referrer of a link.
  - 11. The computer of claim 9, wherein:
    - the network inspection module is further configured to monitor network traffic transmitted from the client device in the plurality of different protocols; and
      
      the remote object link identification module is further configured to identify in the network traffic transmitted via the plurality of different protocols links to remote objects and to identify referrer context information associated with the links to the remote objects and specific to the protocol in which the links to the remote objects were transmitted from the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Cooley, Shaun, Ramzan, Zulfikar
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Vaughan, Michael R

Application Number

US11/961,495
Time in Patent Office

2,021 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 69/18 Multiprotocol handlers, e.g...

Referrer context identification for remote object links

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Referrer context identification for remote object links

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links