Systems and methods for risk rating and pro-actively detecting malicious online ads

US 9,306,968 B2
Filed: 07/30/2014
Issued: 04/05/2016
Est. Priority Date: 03/04/2010
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine readable medium on which are stored instructions, comprising instructions that when executed cause a programmable device to:

receive a web page including a SWF (small web format) file dynamically included in the web page as the web page is provided to the programmable device;

locate an embedded redirection URL (uniform resource locator) contained within the SWF file;

obtain a risk rating for the embedded redirection URL from a risk database if the risk rating for the embedded redirection URL is available in the risk database;

generate the risk rating for the embedded redirection URL when the risk rating for the embedded redirection URL was not obtained from the risk database; and

generate a risk rating for the SWF file based at least in part on the risk rating for the embedded redirection URL.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for risk rating and pro-actively detecting malicious online ads are described. In one example embodiment, a system for risk rating and pro-actively detecting malicious online ads includes an extraction module, an analysis engine, and a filter module. The extraction module is configured to extract a SWF file from a web page downloaded by the system. The analysis engine is communicatively coupled to the extraction module. The analysis engine is configured to determine a risk rating for the SWF file and send the risk rating to a web application for display. In an example, determining the risk rating includes locating an embedded redirection URL and determining a risk rating for the embedded redirection URL. The filter module is configured to determine, based on the risk rating, whether to block the SWF file and send a warning to the web application for display.

Citations

25 Claims

1. A non-transitory machine readable medium on which are stored instructions, comprising instructions that when executed cause a programmable device to:
- receive a web page including a SWF (small web format) file dynamically included in the web page as the web page is provided to the programmable device;
  
  locate an embedded redirection URL (uniform resource locator) contained within the SWF file;
  
  obtain a risk rating for the embedded redirection URL from a risk database if the risk rating for the embedded redirection URL is available in the risk database;
  
  generate the risk rating for the embedded redirection URL when the risk rating for the embedded redirection URL was not obtained from the risk database; and
  
  generate a risk rating for the SWF file based at least in part on the risk rating for the embedded redirection URL.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The machine readable medium of claim 1, wherein the instructions that when executed cause the programmable device to generate a risk rating for the SWF file comprise instructions that when executed cause the programmable device to:
    - analyze the behavior of the SWF file within a segregated execution sandbox.
  - 3. The machine readable medium of claim 2, wherein the instructions that when executed cause the programmable device to analyze the behavior of the SWF file comprise instructions that when executed cause the programmable device to:
    - process the embedded URL within the segregated execution sandbox; and
      
      evaluate the results of following the embedded redirection URL.
  - 4. The machine readable medium of claim 2, wherein the instructions that when executed cause the programmable device to analyze the behavior of the SWF file comprise instructions that when executed cause the programmable device to:
    - scan for shellcode within the SWF file.
  - 5. The machine readable medium of claim 2, wherein the instructions that when executed cause the programmable device to analyze the behavior of the SWF file comprise instructions that when executed cause the programmable device to:
    - scan for a malformed tag.
  - 6. The machine readable medium of claim 2, wherein the instructions that when executed cause the programmable device to analyze the behavior of the SWF file comprise instructions that when executed cause the programmable device to:
    - scan for a malicious script within the SWF file.
  - 7. The machine readable medium of claim 1, wherein the instructions that when executed cause the programmable device to generate a risk rating for the SWF file comprise instructions that when executed cause the programmable device to:
    - scan action tags.
  - 8. The machine readable medium of claim 1, wherein the instructions that when executed cause the programmable device to generate a risk rating for the SWF file comprise instructions that when executed cause the programmable device to:
    - generate a new risk rating for the SWF file based on at least one of;
      
      the embedded redirection URL contained within the SWF file;
      
      shellcode within the SWF file;
      
      a malformed tag within the SWF file;
      
      ora malicious script within the SWF file.
  - 9. The machine readable medium of claim 8, wherein the instructions further comprise instructions that when executed cause the programmable device to:
    - update the risk database with the generated risk rating for the embedded redirection URL and the new risk rating for the SWF file.
  - 10. The machine readable medium of claim 1, wherein the web page contains a link to the SWF file.
  - 11. The machine readable medium of claim 1, wherein the SWF file is embedded into the web page.

12. A system comprising:
- an extraction module configured to extract an SWF (small web format) file from a web page received from a web server, the SWF file dynamically included in the web page as the web page is provided by the web server;
  
  an analysis engine communicatively coupled to the extraction module and configured to;
  
  locate an embedded redirection URL (uniform resource locator) contained within the SWF file;
  
  obtain a risk rating for the embedded redirection URL from a risk database if the risk rating for the embedded redirection URL is available in the risk database;
  
  generate the risk rating for the embedded redirection URL when the risk rating for the embedded redirection URL was not obtained from the risk database; and
  
  generate a risk rating for the SWF file based at least in part on the risk rating for the embedded redirection URL; and
  
  a filter module configured to determine, based on the risk rating for the SWF file, whether to filter the SWF file and whether to send an alert to a browser for display within the web page.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the analysis engine is further configured to analyze the behavior of the SWF file within a segregated execution sandbox.
  - 14. The system of claim 13, wherein the analysis engine is configured to analyze the behavior of the SWF file within a segregated execution sandbox by being configured to:
    - process the embedded redirection URL within the segregated execution sandbox; and
      
      evaluate the results of following the embedded redirection URL.
  - 15. The system of claim 13, wherein the analysis engine is further configured to scan the SWF file for shellcode.
  - 16. The system of claim 13, wherein the analysis engine is further configured to scan the SWF file for malformed tags.
  - 17. The system of claim 13, wherein the analysis engine is further configured to scan the SWF file for malicious scripts.
  - 18. The system of claim 12, wherein the analysis engine is further configured to scan the SWF file for action tags representing potentially suspect functions.
  - 19. The system of claim 12, wherein the analysis engine comprises:
    - a risk rating module configured to generate the risk rating of the SWF file based on at least one of;
      
      the embedded redirection URL contained within the SWF file;
      
      a segment of shellcode within the SWF file;
      
      a malformed tag within the SWF file;
      
      ora malicious script within the SWF file.
  - 20. The system of claim 19, wherein the risk rating module is communicatively coupled to the risk database, and the risk rating module is configured to update the risk database with the generated risk rating for the SWF file.

21. A computer-implemented method of generating a risk rating for a SWF (small web format) file, comprising:
- extracting an SWF (small web format) file from a web page by a programmable device, the SWF file dynamically included in the web page as the web page is provided to the programmable device,locating an embedded redirection URL (uniform resource locator) contained within the SWF file;
  
  obtaining a risk rating for the embedded redirection URL from a risk database if the risk rating for the embedded redirection URL is available in the risk database;
  
  calculating the risk rating for the embedded redirection URL when the risk rating for the embedded redirection URL was not obtained from the risk database; and
  
  calculating a risk rating for the SWF file based at least in part on the risk rating for the embedded redirection URL.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The computer-implemented method of claim 21, wherein generating a risk rating for the SWF file comprises:
    - analyzing the behavior of the SWF file within a segregated execution sandbox.
  - 23. The computer-implemented method of claim 22, wherein analyzing the behavior of the SWF file comprises:
    - processing the embedded URL within the segregated execution sandbox; and
      
      evaluating the results of following the embedded redirection URL.
  - 24. The computer-implemented method of claim 22, wherein analyzing the behavior of the SWF file comprises:
    - scanning for one of;
      
      shellcode within the SWF file;
      
      a malicious script; and
      
      a malformed tag.
  - 25. The computer-implemented method of claim 22, further comprising:
    - updating the risk database with the generated risk rating for the embedded redirection URL and the risk rating for the SWF file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Sreedharan, Jayesh, Mohandas, Rahul
Primary Examiner(s)
Davis, Zachary A

Application Number

US14/446,620
Publication Number

US 20140344928A1
Time in Patent Office

615 Days
Field of Search

726/22, 726/23, 726/25, 713/187, 705/14.73
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2119   Authenticating web pages, e...

G06F 3/14   Digital output to display d...

G06Q 30/0277   Online advertisement

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

Systems and methods for risk rating and pro-actively detecting malicious online ads

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for risk rating and pro-actively detecting malicious online ads

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links