Malicious advertisement detection and remediation

US 9,398,031 B1
Filed: 02/04/2015
Issued: 07/19/2016
Est. Priority Date: 04/25/2009
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malicious advertising content, comprising:

a computer hardware processor;

a memory, accessible to the computer hardware processor, storing a network trace table and a module,wherein the network trace table is configured to store information from scanning advertisements;

wherein the module executes on the computer hardware processor and is configured to;

receive access to an advertisement in an ad network;

scan the advertisement to obtain scan information;

store the scan information in the network trace table;

determine, by the hardware processor using information stored in the network trace table, that the advertisement is a malicious advertisement;

in response to determining that the advertisement is a malicious advertisement;

locate other instances of the advertisement within other ad networks using the information stored in the network trace table;

cause the advertisement to cease being served in at least one of the other the ad networks;

update a historical rate of compromise for the ad network;

refine a threshold using the updated historical rate of compromise to obtain a refined threshold; and

modify the scan frequency of advertisements in the ad network based on the refined threshold.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting a malicious advertisement is disclosed. An advertisement is analyzed. A determination that the advertisement is associated with malicious activity is made. An indication that the advertisement is malicious is provided as output. The indication can be provided as a report, such as to a publisher and can also be provided using an API, such as to the entity responsible for serving the advertisement.

63 Citations

View as Search Results

20 Claims

1. A system for detecting malicious advertising content, comprising:
- a computer hardware processor;
  
  a memory, accessible to the computer hardware processor, storing a network trace table and a module,wherein the network trace table is configured to store information from scanning advertisements;
  
  wherein the module executes on the computer hardware processor and is configured to;
  
  receive access to an advertisement in an ad network;
  
  scan the advertisement to obtain scan information;
  
  store the scan information in the network trace table;
  
  determine, by the hardware processor using information stored in the network trace table, that the advertisement is a malicious advertisement;
  
  in response to determining that the advertisement is a malicious advertisement;
  
  locate other instances of the advertisement within other ad networks using the information stored in the network trace table;
  
  cause the advertisement to cease being served in at least one of the other the ad networks;
  
  update a historical rate of compromise for the ad network;
  
  refine a threshold using the updated historical rate of compromise to obtain a refined threshold; and
  
  modify the scan frequency of advertisements in the ad network based on the refined threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the scan information comprises a scanned uniform resource locator (URL) associated with the advertisement.
  - 3. The system of claim 2, wherein the scan information further comprises information identifying a referred URL that is referred to by the scanned URL.
  - 4. The system of claim 3, wherein causing the malicious advertisement to cease being served comprises:
    - generating a report specifying the advertisement, andsending the report to the at least one other ad network.
  - 5. The system of claim 1, wherein the advertisement is scanned within a predetermined time of being uploaded to the ad network.
  - 6. The system of claim 1, wherein the module is further configured to provide, to the ad network, a report comprising a plurality of risk categories associated with the advertisement.
  - 7. The system of claim 6, wherein the report further comprises the historical rate of compromise of the ad network.
  - 8. The system of claim 7, wherein each of the plurality of risk categories is weighted to compute the historical rate of compromise.
  - 9. The system of claim 6, wherein at least one of the plurality of risk categories is selected from a group consisting of external JavaScripts, external iframes, advertisements, external images, and out-of-date web applications.

10. A method for detecting malicious advertising content, comprising:
- receiving access to an advertisement in an ad network;
  
  scanning the advertisement to obtain scan information;
  
  storing the scan information in the network trace table;
  
  determining, by a hardware processor using information stored in the network trace table, that the advertisement is a malicious advertisement;
  
  in response to determining that the advertisement is a malicious advertisement;
  
  locating other instances of the advertisement within other ad networks using the information stored in the network trace table;
  
  causing the advertisement to cease being served in at least one of the other the ad networks;
  
  updating a historical rate of compromise for the ad network;
  
  refining a threshold using the updated historical rate of compromise to obtain a refined threshold; and
  
  modifying the scan frequency of advertisements in the ad network based on the refined threshold.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein the scan information comprises a scanned uniform resource locator (URL) associated with the advertisement.
  - 12. The method of claim 11, wherein the scan information further comprises information identifying a referred URL that is referred to by the scanned URL.
  - 13. The method of claim 12, wherein causing the malicious advertisement to cease being served comprises:
    - generating a report specifying the advertisement, andsending the report to the at least one other ad network.
  - 14. The method of claim 10, wherein the advertisement is scanned within a predetermined time of being uploaded to the ad network.
  - 15. The method of claim 10, wherein the module is further configured to provide, to the ad network, a report comprising a plurality of risk categories associated with the advertisement.
  - 16. The method of claim 15, wherein the report further comprises the historical rate of compromise of the ad network.
  - 17. The method of claim 16, wherein each of the plurality of risk categories is weighted to compute the historical rate of compromise.
  - 18. The method of claim 15, wherein at least one of the plurality of risk categories is selected from a group consisting of external JavaScripts, external iframes, advertisements, external images, and out-of-date web applications.

19. A non-transitory computer readable medium comprising computer readable program code, which when executed by a computer processor, enables the computer processor to:
- receive access to an advertisement in an ad network;
  
  scan the advertisement to obtain scan information;
  
  store the scan information in the network trace table;
  
  determine, using information stored in the network trace table, that the advertisement is a malicious advertisement;
  
  in response to determining that the advertisement is a malicious advertisement;
  
  locate other instances of the advertisement within other ad networks using the information stored in the network trace table;
  
  cause the advertisement to cease being served in at least one of the other the ad networks;
  
  update a historical rate of compromise for the ad network;
  
  refine a threshold using the updated historical rate of compromise to obtain a refined threshold; and
  
  modify the scan frequency of advertisements in the ad network based on the refined threshold.
- View Dependent Claims (20)
- - 20. The non-transitory computer readable medium of claim 19, wherein the scan information comprises a scanned uniform resource locator (URL) associated with the advertisement and wherein the scan information further comprises information identifying a referred URL that is referred to by the scanned URL.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Dasient, Inc. (X Holdings Corp.)
Original Assignee
Dasient, Inc. (X Holdings Corp.)
Inventors
Ranadive, Ameet, Rizvi, Shariq, Daswani, Neilkumar Murli
Primary Examiner(s)
Chai, Longbit

Application Number

US14/614,317
Time in Patent Office

531 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

Malicious advertisement detection and remediation

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Malicious advertisement detection and remediation

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others