Systems and methods to detect malicious media files

US 8,510,829 B2
Filed: 06/24/2010
Issued: 08/13/2013
Est. Priority Date: 06/24/2010
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a network connection;

a memory including instructions stored thereon; and

a programmable processor communicatively coupled to the memory, wherein the instructions, when executed by the programmable processor, cause the programmable processor to;

receive a data stream from the network connection;

detect, within the data stream, at least a portion of a media file;

determine a file type of the media file from the detected portion of the media file;

extract the media file from the data stream received from the network connection;

parse the media file based on the determined file type to locate a suspicious tag, wherein the suspicious tag is part of a set of tags and wherein the set of tags vary as a function of the determined file type;

extract an embedded uniform resource locator (URL) from the suspicious tag;

determine whether the embedded URL is malicious, comprising;

determining whether the embedded URL matches a known malicious URL within a local database; and

submitting the embedded URL to a domain reputation system to analyze the embedded URL against a centralized database, wherein submitting is only performed if a match is not found within the local database; and

block the media file if the embedded URL is determined to be malicious.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and method to detect malicious media file are described. In one example, an apparatus including a network connection, a memory, and a programmable processor communicatively coupled to the memory is discussed. The memory can include instructions, which when executed by the programmable processor cause the apparatus to receive a data stream from the network connection and detect at least a portion of a media file within the data stream. The instructions can also cause the apparatus to determine a file type of the media file and extract the media file from the data stream. Further, the instructions cause the apparatus to parse the media file to location a suspicious tag, extract an embedded URL from the suspicious tag, determine with the embedded URL is malicious, and block the media file if the embedded URL is malicious.

48 Citations

View as Search Results

19 Claims

1. An apparatus comprising:
- a network connection;
  
  a memory including instructions stored thereon; and
  
  a programmable processor communicatively coupled to the memory, wherein the instructions, when executed by the programmable processor, cause the programmable processor to;
  
  receive a data stream from the network connection;
  
  detect, within the data stream, at least a portion of a media file;
  
  determine a file type of the media file from the detected portion of the media file;
  
  extract the media file from the data stream received from the network connection;
  
  parse the media file based on the determined file type to locate a suspicious tag, wherein the suspicious tag is part of a set of tags and wherein the set of tags vary as a function of the determined file type;
  
  extract an embedded uniform resource locator (URL) from the suspicious tag;
  
  determine whether the embedded URL is malicious, comprising;
  
  determining whether the embedded URL matches a known malicious URL within a local database; and
  
  submitting the embedded URL to a domain reputation system to analyze the embedded URL against a centralized database, wherein submitting is only performed if a match is not found within the local database; and
  
  block the media file if the embedded URL is determined to be malicious.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein the instructions cause the programmable processor to determine whether the embedded URL is malicious by comparing the embedded URL signature against a plurality of known URL signatures.
  - 3. The apparatus of claim 2, wherein the instructions cause the programmable processor to determine whether the embedded URL is malicious by comparing the embedded URL signature against a plurality of signatures of known malicious URLs and known good URLs.
  - 4. The apparatus of claim 1, wherein the instructions cause the programmable processor to detect a media file in the data stream by identifying a media file object tag within the data stream.
  - 5. The apparatus of claim 1, wherein the instructions cause the programmable processor to determine a file type of the media file by determining that the media file is one of the media file types in the following group of media file types:
    - Advanced System Format (ASF);
      
      QuickTime File Format; and
      
      Real Media File Format.
  - 6. The apparatus of claim 1, wherein the instructions cause the programmable processor to parse the media file by searching within the media file for signatures matching the suspicious tags associated with the file type.

7. A method comprising:
- receiving data from an incoming network connection;
  
  detecting, within the data, at least a portion of a media file;
  
  determining a file type of the media file from the detected portion of the media file;
  
  extracting the media file from the data received from the incoming network connection;
  
  parsing the media file based on the determined file type to locate a suspicious tag, wherein the suspicious tag is part of a set of tags and wherein the set of tags vary as a function of the determined file type;
  
  extracting an embedded uniform resource locator (URL) from the suspicious tag;
  
  determining whether the embedded URL is malicious, comprising;
  
  determining whether the embedded URL matches a known malicious URL within a local database; and
  
  submitting the embedded URL to a domain reputation system to analyze the embedded URL against a centralized database wherein submitting is only performed if a match is not found within the local database; and
  
  blocking the media file if the embedded URL is malicious.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein determining whether the embedded URL is malicious includes comparing an embedded URL signature against a plurality of known URL signatures.
  - 9. The method of claim 8, wherein the plurality of known URL signatures includes signatures of known malicious URLs and known good URLs.
  - 10. The method of claim 7, wherein the detecting a media file includes identifying a media file related object tag within a web page.
  - 11. The method of claim 7, wherein the determining a file type of the media file includes determining that the media file is one of the media file types in the following group of media file types:
    - Advanced System Format (ASF);
      
      QuickTime File Format; and
      
      Real Media File Format.
  - 12. The method of claim 7, wherein the parsing the media the includes searching within the media file for signatures matching the suspicious tags associated with the file type.

13. A system comprising:
- a network;
  
  a database including data related to potentially malicious URLs; and
  
  a computer communicatively coupled to the database, the computer including;
  
  a network interface connecting the computer to the network;
  
  a memory containing instructions; and
  
  one or more processors communicatively coupled to the memory, wherein the instructions, when executed by the one or more processors, cause the computer to;
  
  monitor data transferred over the network through the network interface;
  
  detect, within the data transferred over the network, at least a portion of a media file;
  
  determine a file type of the media file from the detected portion of the media file;
  
  parse the media the based on the determined file type to locate suspicious tags, wherein the suspicious tags are part of a set of tags and wherein the set of tags vary as a function of the determined file type;
  
  extract an embedded uniform resource locator (URL) from a suspicious tag;
  
  determine whether the embedded URL is malicious, comprising;
  
  determining whether the embedded URL matches data related to potentially malicious URLs within the database; and
  
  submitting the embedded URL to a domain reputation system to analyze the embedded URL against a centralized database wherein submitting is only performed if a match is not found within the database; and
  
  discard the media the if the embedded URL is malicious.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the instructions cause the computer further to transmit the media the on to an original destination of the media the if the embedded URL is not determined to be malicious.
  - 15. The system of claim 13, wherein the database is connected to the network.
  - 16. The system of claim 13, wherein the database includes a plurality of URL signatures including signatures of known good URLs and known malicious URLs.
  - 17. The system of claim 13 further comprising:
    - a second network connected to the local network through a gateway device; and
      
      the domain reputation system connected to the second network.
  - 18. The system of claim 17, wherein the computer further includes a second network interface connected to a second network;
    - andwherein the memory further includes instructions that cause the computer to function as the gateway device.
  - 19. The system of claim 13, wherein the instructions cause the computer further to determine a malware probability for the media file based upon a probability calculated as a function of the malware probability of two or more URLs extracted from the media file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Mohandas, Rahul, Thomas, Vinoo, Prashanth, Plasamudram Ramagopal
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
SHAW, BRIAN F

Application Number

US12/822,856
Publication Number

US 20110321160A1
Time in Patent Office

1,146 Days
Field of Search

726/22, 709/238
US Class Current

726/22
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

Systems and methods to detect malicious media files

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods to detect malicious media files

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links