Automated detection of harmful content

US 9,392,014 B2
Filed: 09/10/2013
Issued: 07/12/2016
Est. Priority Date: 09/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method for automatically detecting malicious content by computer security routine executed in a processing device, the method comprising:

detecting, in the processing device, a user input to a social status update publication application, wherein the user input indicates that a user wants to share content with at least one other user through the social status update publication application;

suspending a sharing operation of the social status update publication application and performing, by the processing device before determining whether or not to allow the sharing, a security check for suspiciousness in the content the user intends to share;

upon detecting in the security check that the content the user intends to share comprises malware, cancelling the suspended sharing operation; and

upon detecting no malicious content in the security check, allowing continuation of the suspended sharing operation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This document discloses a solution for automatically detecting malicious content by computer security routine executed in a processing device. A user input to a social media application is detected by the computer security routine. The user input indicates that a user wants to share content with at least one other user through the social media application. In response, the computer security routine suspends said sharing and performs, before determining whether or not to allow the sharing, a security check for suspiciousness of contents the user intends to share.

Citations

21 Claims

1. A method for automatically detecting malicious content by computer security routine executed in a processing device, the method comprising:
- detecting, in the processing device, a user input to a social status update publication application, wherein the user input indicates that a user wants to share content with at least one other user through the social status update publication application;
  
  suspending a sharing operation of the social status update publication application and performing, by the processing device before determining whether or not to allow the sharing, a security check for suspiciousness in the content the user intends to share;
  
  upon detecting in the security check that the content the user intends to share comprises malware, cancelling the suspended sharing operation; and
  
  upon detecting no malicious content in the security check, allowing continuation of the suspended sharing operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the user input is an initiation of a paste operation to enter the content to be shared from a copy-paste buffer of the processing device into a text field of the social media publication application, the method further comprising:
    - hooking the computer security routine to the paste operation and, upon detecting the paste operation, suspending the detected paste operation for the duration of the security check directed to the content of the paste operation.
  - 3. The method of claim 1, wherein the user input is an initiation of a copy operation to enter the content to be shared to the copy-paste buffer of the processing device, the method further comprising:
    - hooking the computer security routine to the copy operation and, upon detecting the initiation of the copy operation by the user input, suspending the detected copy operation for the duration of security check directed to the content of the copy operation.
  - 4. The method of claim 1, wherein said security check comprises:
    - scanning the contents the user intends to share for a uniform resource locator;
      
      upon detecting the uniform resource locator within the contents, checking a reputation status of the uniform resource locator.
  - 5. The method of claim 1, wherein the user input launches a redirection command to redirect from a first uniform resource location to a second uniform resource location, the method further comprising:
    - identifying the redirection as a redirection to share at least some of the contents of the first uniform resource location;
      
      suspending the redirection upon detecting the user input and applying the security check to at least one uniform resource locator related to the redirection.
  - 6. The method of claim 5, wherein the redirection input is a pointing input of a share button related to the social media publication application.
  - 7. The method of claim 5, wherein said security check comprises checking a reputation status of the second uniform resource location comprised in the redirection command and/or a uniform resource locator comprised in the contents of the first uniform resource location that are to be shared.
  - 8. The method of claim 1, further comprising:
    - detecting a uniform resource locator within the contents to be shared;
      
      detecting that the uniform resource locator is a shortened uniform resource locator;
      
      resolving a real uniform resource locator behind the shortened uniform resource locator; and
      
      applying said security check to the real uniform resource locator.
  - 9. The method of claim 1, wherein said security check comprises:
    - determining whether or not the contents to be shared comprises at least one of the following harmful contents;
      
      malicious payload creating a security risk for the processing device, a link to a web site known to contain suspicious contents, and information that is under a parental control of the processing device; and
      
      upon determining that the contents to be shared comprises at least one of said harmful contents, taking a precautionary action to prevent an effect of said harmful contents.
  - 10. The method of claim 1, wherein said security check comprises:
    - providing a reputation database comprising a plurality of categories for different types of contents, wherein some of the categories define contents that are allowed for sharing and some of the categories define contents that are not allowed for sharing;
      
      determining a category of the contents to be shared; and
      
      upon determining that the contents to be shared belongs to a category for which sharing is not allowed, preventing said sharing.

11. An apparatus comprising:
- at least one processor; and
  
  at least one non-transitory memory including a computer program code, wherein the at least one non-transitory memory and the computer program code are configured, with the at least one processor, to cause the apparatus to;
  
  execute a computer security routine;
  
  detect a user input to a social status update publication application, wherein the user input indicates that a user wants to share content with at least one other user through the social status update publication application;
  
  suspend a sharing operation of the social status update publication application and perform, before determining whether or not to allow the sharing, a security check for suspiciousness in the content the user intends to share;
  
  upon detecting in the security check that the content the user intends to share comprises malware, cancel the suspended sharing operation; and
  
  upon detecting no malicious content in the security check, allow continuation of the suspended sharing operation.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11, wherein the user input is an initiation of a paste operation to enter the content to be shared from a copy-paste buffer of the processing device into a text field of the social media publication application, and wherein the at least one non-transitory memory and the computer program code are configured, with the at least one processor, to cause the apparatus to hook the computer security routine to the paste operation and, upon detecting the paste operation, suspending the detected paste operation for the duration of the security check directed to the content of the paste operation.
  - 13. The apparatus of claim 11, wherein the user input is an initiation of a copy operation to enter the content to be shared to the copy-paste buffer of the processing device, and wherein the at least one non-transitory memory and the computer program code are configured, with the at least one processor, to cause the apparatus to hook the computer security routine to the copy operation and, upon detecting the initiation of the copy operation by the user input, suspending the detected copy operation for the duration of security check directed to the content of the copy operation.
  - 14. The apparatus of claim 11, wherein the at least one non-transitory memory and the computer program code are configured, with the at least one processor, to cause the apparatus to:
    - scan, during the security check, the contents the user intends to share for a uniform resource locator;
      
      upon detecting the uniform resource locator within the contents, check a reputation status of the uniform resource locator.
  - 15. The apparatus of claim 11, wherein the user input launches a redirection command to redirect from a first uniform resource location to a second uniform resource location, and wherein the at least one non-transitory memory and the computer program code are configured, with the at least one processor, to cause the apparatus to:
    - identify the redirection as a redirection to share at least some of the contents of the first uniform resource location;
      
      suspend the redirection upon detecting the user input and apply the security check to at least one uniform resource locator related to the redirection.
  - 16. The apparatus of claim 15, wherein the redirection input is a pointing input of a share button related to the social media publication application.
  - 17. The apparatus of claim 15, wherein the at least one non-transitory memory and the computer program code are configured, with the at least one processor, to cause the apparatus to check, during the security check, a reputation status of the second uniform resource location comprised in the redirection command and/or a uniform resource locator comprised in the contents of the first uniform resource location that are to be shared.
  - 18. The apparatus of claim 11, wherein the at least one non-transitory memory and the computer program code are configured, with the at least one processor, to cause the apparatus to:
    - detect a uniform resource locator within the contents to be shared;
      
      detect that the uniform resource locator is a shortened uniform resource locator;
      
      resolve a real uniform resource locator behind the shortened uniform resource locator; and
      
      apply said security check to the real uniform resource locator.
  - 19. The apparatus of claim 11, wherein the at least one non-transitory memory and the computer program code are configured, with the at least one processor, to cause the apparatus to:
    - determining, during the security check, whether or not the contents to be shared comprises at least one of the following harmful contents;
      
      malicious payload creating a security risk for the processing device, a link to a web site known to contain suspicious contents, and information that is under a parental control of the processing device; and
      
      upon determining that the contents to be shared comprises at least one of said harmful contents, take a precautionary action to prevent an effect of said harmful contents.
  - 20. The apparatus of claim 11, wherein the at least one non-transitory memory and the computer program code are configured, with the at least one processor, to cause the apparatus to:
    - utilize a reputation database comprising a plurality of categories for different types of contents, wherein some of the categories define contents that are allowed for sharing and some of the categories define contents that are not allowed for sharing;
      
      determine a category of the contents to be shared; and
      
      upon determining that the contents to be shared belongs to a category for which sharing is not allowed, prevent said sharing.

21. A computer program product embodied on a non-transitory distribution medium readable by a computer and comprising program instructions which, when loaded into an apparatus, execute a computer process comprising:
- detecting a user input to a social status update publication application, wherein the user input indicates that a user wants to share content with at least one other user through the social status update publication application;
  
  suspending a sharing operation of the social status update publication application and performing, before determining whether or not to allow the sharing, a security check for suspiciousness in the content the user intends to share;
  
  upon detecting in the security check that the content the user intends to share comprises malware, cancelling the suspended sharing operation; and
  
  upon detecting no malicious content in the security check, allowing continuation of the suspended sharing operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Withsecure Corporation
Original Assignee
F-Secure Corporation (F-Secure Oyj)
Inventors
Palumbo, Paolo, Patel, Andrew
Primary Examiner(s)
Le, David

Application Number

US14/022,455
Publication Number

US 20140090055A1
Time in Patent Office

1,036 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/0245 Filtering by information in...

H04L 63/145 the attack involving the pr...

Automated detection of harmful content

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Automated detection of harmful content

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links