Disambiguating conflicting content filter rules

US 9,356,937 B2
Filed: 11/13/2013
Issued: 05/31/2016
Est. Priority Date: 11/13/2013
Status: Active Grant

First Claim

Patent Images

1. A method of protecting a computing device against exploitation by active content downloaded over a network, comprising:

instantiating an active content filter (ACF) application in association with the computing device;

associating a risk value to each of a set of content filtering rules implemented by the ACF application;

associating a risk level to the ACF application that implements the content filtering rules;

upon receipt of active content, determining whether applying first and second rules of the set of content filtering rules to the active content results in a content filtering ambiguity;

when applying the first and second rules to the active content results in a content filtering ambiguity, comparing risk values of each of the first and second rules with the risk level of the ACF application and, in response to the comparison, selecting one of the first and second rules whose risk value has a predetermined relationship to the risk level of the ACF application to thereby provide an improved ACF application; and

applying the selected one of the first and second rules to filter the active content to enhance protection of the computing device against exploitation by the active content.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A content filtering mechanism is enhanced to resolve conflicts in filtering rules (e.g., those created by a whitelist, on the one hand, and a blacklist, on the other hand). Preferably, a conflict between or among content filtering rules is resolved by selecting among conflicting rules based on a notion of “risk” associated with the rules. According to this risk-based approach, when two or more rules conflict with one another, the particular rule whose risk value has a predetermined relationship (e.g., aligns most closely) with a risk level associated with the application (applying the rules) then takes precedence. By selecting among conflicting rules based on risk, the potential or actual conflicts are disambiguated, with the result being that the content is filtered appropriately.

10 Citations

17 Claims

1. A method of protecting a computing device against exploitation by active content downloaded over a network, comprising:
- instantiating an active content filter (ACF) application in association with the computing device;
  
  associating a risk value to each of a set of content filtering rules implemented by the ACF application;
  
  associating a risk level to the ACF application that implements the content filtering rules;
  
  upon receipt of active content, determining whether applying first and second rules of the set of content filtering rules to the active content results in a content filtering ambiguity;
  
  when applying the first and second rules to the active content results in a content filtering ambiguity, comparing risk values of each of the first and second rules with the risk level of the ACF application and, in response to the comparison, selecting one of the first and second rules whose risk value has a predetermined relationship to the risk level of the ACF application to thereby provide an improved ACF application; and
  
  applying the selected one of the first and second rules to filter the active content to enhance protection of the computing device against exploitation by the active content.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as described in claim 1 further including:
    - modifying the risk level of the application based on one of;
      
      a content type, a time of day, a user role or group, a request type, and a request source.
  - 3. The method as described in claim 1 wherein risk values associated with the first and second rules define a relative security strength.
  - 4. The method as described in claim 1 wherein risk values associated with the first and second rules define a relative granularity.
  - 5. The method as described in claim 1 wherein first rule is associated with a whitelist and the second rule is associated with a blacklist.
  - 6. The method as described in claim 1 wherein the first and second rules are applied concurrently in a single pass filtering operation.

7. A computing device apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to protect the computer device apparatus against exploitation by active content downloaded over a network by the following operations;
  
  instantiating an active content filter (ACF) application in association with the computing device;
  
  associating a risk value to each of a set of content filtering rules implemented by the ACF application;
  
  associating a risk level to the ACF application that implements the content filtering rules;
  
  upon receipt of active content, determining whether applying first and second rules of the set of content filtering rules to the active content results in a content filtering ambiguity;
  
  when applying the first and second rules to the active content results in a content filtering ambiguity, comparing risk values of each of the first and second rules with the risk level of the ACF application and, in response to the comparison, selecting one of the first and second rules whose risk value has a predetermined relationship to the risk level of the ACF application to thereby provide an improved ACF application; and
  
  applying the selected one of the first and second rules to filter the active content to enhance protection of the computing device against exploitation by the active content.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus as described in claim 7 wherein the operations further include:
    - modifying the risk level of the application based on one of;
      
      a content type, a time of day, a user role or group, a request type, and a request source.
  - 9. The apparatus as described in claim 7 wherein risk values associated with the first and second rules define a relative security strength.
  - 10. The apparatus as described in claim 7 wherein risk values associated with the first and second rules define a relative granularity.
  - 11. The apparatus as described in claim 7 wherein first rule is associated with a whitelist and the second rule is associated with a blacklist.
  - 12. The apparatus as described in claim 7 wherein the first and second rules are applied concurrently in a single pass filtering operation.

13. A computer program product in a non-transitory computer readable medium for use in a computing device, the computer program product holding computer program instructions which, when executed by the computing device, perform a method of protecting the computing device against exploitation by active content downloaded over a network, the method comprising:
- instantiating an active content filter (ACF) application in association with the computer device;
  
  associating a risk value to each of a set of content filtering rules implemented by the ACF application;
  
  associating a risk level to the ACF application that implements the content filtering rules;
  
  upon receipt of active content, determining whether applying first and second rules of the set of content filtering rules to the active content results in a content filtering ambiguity;
  
  when applying the first and second rules to the active content results in a content filtering ambiguity, comparing risk values of each of the first and second rules with the risk level of the ACF application and, in response to the comparison, selecting one of the first and second rules whose risk value has a predetermined relationship to the risk level of the ACF application to thereby provide an improved ACF application; and
  
  applying the selected one of the first and second rules to filter the active content to enhance protection of the computing device against exploitation by the active content.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer program product as described in claim 13 wherein the method further includes:
    - modifying the risk level of the application based on one of;
      
      a content type, a time of day, a user role or group, a request type, and a request source.
  - 15. The computer program product described in claim 13 wherein risk values associated with the first and second rules define a relative security strength.
  - 16. The computer program product as described in claim 13 wherein risk values associated with the first and second rules define a relative granularity.
  - 17. The computer program product as described in claim 13 wherein first rule is associated with a whitelist and the second rule is associated with a blacklist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hoy, Jeffrey Robert, Albouyeh, Shadi Eskamaei, Carter, Bernadette Alexia, Trunzo, Stephanie Lynn
Primary Examiner(s)
EDWARDS, LINGLAN E

Application Number

US14/078,685
Publication Number

US 20150135256A1
Time in Patent Office

930 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Disambiguating conflicting content filter rules

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Disambiguating conflicting content filter rules

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links