Systems and methods to detect malicious media files
First Claim
1. An apparatus comprising:
- a network connection;
a memory including instructions stored thereon; and
a programmable processor communicatively coupled to the memory, wherein the instructions, when executed by the programmable processor, cause the programmable processor to;
receive a data stream from the network connection;
detect, within the data stream, at least a portion of a media file;
determine a file type of the media file from the detected portion of the media file;
extract the media file from the data stream received from the network connection;
parse the media file based on the determined file type to locate a suspicious tag, wherein the suspicious tag is part of a set of tags and wherein the set of tags vary as a function of the determined file type;
extract an embedded uniform resource locator (URL) from the suspicious tag;
determine whether the embedded URL is malicious, comprising;
determining whether the embedded URL matches a known malicious URL within a local database; and
submitting the embedded URL to a domain reputation system to analyze the embedded URL against a centralized database, wherein submitting is only performed if a match is not found within the local database; and
block the media file if the embedded URL is determined to be malicious.
10 Assignments
0 Petitions
Accused Products
Abstract
Systems and method to detect malicious media file are described. In one example, an apparatus including a network connection, a memory, and a programmable processor communicatively coupled to the memory is discussed. The memory can include instructions, which when executed by the programmable processor cause the apparatus to receive a data stream from the network connection and detect at least a portion of a media file within the data stream. The instructions can also cause the apparatus to determine a file type of the media file and extract the media file from the data stream. Further, the instructions cause the apparatus to parse the media file to location a suspicious tag, extract an embedded URL from the suspicious tag, determine with the embedded URL is malicious, and block the media file if the embedded URL is malicious.
48 Citations
19 Claims
-
1. An apparatus comprising:
-
a network connection; a memory including instructions stored thereon; and a programmable processor communicatively coupled to the memory, wherein the instructions, when executed by the programmable processor, cause the programmable processor to; receive a data stream from the network connection; detect, within the data stream, at least a portion of a media file; determine a file type of the media file from the detected portion of the media file; extract the media file from the data stream received from the network connection; parse the media file based on the determined file type to locate a suspicious tag, wherein the suspicious tag is part of a set of tags and wherein the set of tags vary as a function of the determined file type; extract an embedded uniform resource locator (URL) from the suspicious tag; determine whether the embedded URL is malicious, comprising; determining whether the embedded URL matches a known malicious URL within a local database; and submitting the embedded URL to a domain reputation system to analyze the embedded URL against a centralized database, wherein submitting is only performed if a match is not found within the local database; and block the media file if the embedded URL is determined to be malicious. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method comprising:
-
receiving data from an incoming network connection; detecting, within the data, at least a portion of a media file; determining a file type of the media file from the detected portion of the media file; extracting the media file from the data received from the incoming network connection; parsing the media file based on the determined file type to locate a suspicious tag, wherein the suspicious tag is part of a set of tags and wherein the set of tags vary as a function of the determined file type; extracting an embedded uniform resource locator (URL) from the suspicious tag; determining whether the embedded URL is malicious, comprising; determining whether the embedded URL matches a known malicious URL within a local database; and submitting the embedded URL to a domain reputation system to analyze the embedded URL against a centralized database wherein submitting is only performed if a match is not found within the local database; and blocking the media file if the embedded URL is malicious. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
a network; a database including data related to potentially malicious URLs; and a computer communicatively coupled to the database, the computer including; a network interface connecting the computer to the network; a memory containing instructions; and one or more processors communicatively coupled to the memory, wherein the instructions, when executed by the one or more processors, cause the computer to; monitor data transferred over the network through the network interface; detect, within the data transferred over the network, at least a portion of a media file; determine a file type of the media file from the detected portion of the media file; parse the media the based on the determined file type to locate suspicious tags, wherein the suspicious tags are part of a set of tags and wherein the set of tags vary as a function of the determined file type; extract an embedded uniform resource locator (URL) from a suspicious tag; determine whether the embedded URL is malicious, comprising; determining whether the embedded URL matches data related to potentially malicious URLs within the database; and submitting the embedded URL to a domain reputation system to analyze the embedded URL against a centralized database wherein submitting is only performed if a match is not found within the database; and discard the media the if the embedded URL is malicious. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification