Filtering hidden data embedded in media files

US 9,419,998 B1
Filed: 04/19/2016
Issued: 08/16/2016
Est. Priority Date: 04/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing network traffic by a network security appliance associated with a protected network, wherein the network traffic is originated by a source external to the protected network and is directed to an intended recipient associated with the protected network;

extracting, by the network security appliance, a media file from the network traffic;

determining, by the network security appliance, presence of a potentially malicious hidden data item embedded in the media file in a form of encoded data within one or more of a digital watermark, steganography and a barcode by decoding the encoded data by a decoding module of the network security appliance;

determining whether the decoded data violates one or more security policies of a plurality of security policies of the network appliance by applying a Uniform Resource Locator (URL) filter to the decoded data by a content inspection engine of the network security appliance; and

when said determining whether the decoded data violates one or more security policies is affirmative, then protecting the intended recipient against the potentially malicious hidden data item by the network security appliance performing one or more of (i) blocking transmission of the media file to the intended recipient, (ii) causing the intended recipient to be alerted regarding the potentially malicious hidden data item and (iii) causing a network administrator of the protected network to be alerted regarding the potentially malicious hidden data item.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for filtering unsafe content at a network security appliance are provided. According to one embodiment, a network security appliance captures network traffic and extracts a media file from the network traffic. The network security appliance then determines the presence of a hidden data item embedded in the media file in a machine-readable form. When such a hidden data item is identified, the network security appliance performs one or more actions on the media file based on a predefined security policy.

Citations

16 Claims

1. A method comprising:
- capturing network traffic by a network security appliance associated with a protected network, wherein the network traffic is originated by a source external to the protected network and is directed to an intended recipient associated with the protected network;
  
  extracting, by the network security appliance, a media file from the network traffic;
  
  determining, by the network security appliance, presence of a potentially malicious hidden data item embedded in the media file in a form of encoded data within one or more of a digital watermark, steganography and a barcode by decoding the encoded data by a decoding module of the network security appliance;
  
  determining whether the decoded data violates one or more security policies of a plurality of security policies of the network appliance by applying a Uniform Resource Locator (URL) filter to the decoded data by a content inspection engine of the network security appliance; and
  
  when said determining whether the decoded data violates one or more security policies is affirmative, then protecting the intended recipient against the potentially malicious hidden data item by the network security appliance performing one or more of (i) blocking transmission of the media file to the intended recipient, (ii) causing the intended recipient to be alerted regarding the potentially malicious hidden data item and (iii) causing a network administrator of the protected network to be alerted regarding the potentially malicious hidden data item.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein said determining presence of a potentially malicious hidden data item comprises matching a signature of the media file against a plurality of signatures of media files known to include unsafe hidden data.
  - 3. The method of claim 1, wherein the plurality of security policies includes a security policy containing information indicative of a URL known to be associated with malicious activities.
  - 4. The method of claim 1, wherein the plurality of security policies includes a security policy containing information indicative of a URL associated with a blocked website.
  - 5. The method of claim 1, wherein the plurality of security policies includes a security policy containing information indicative of a URL that redirects to a blocked website.
  - 6. The method of claim 1, wherein the media file comprises an image file.
  - 7. The method of claim 1, wherein the media file comprises a video file.
  - 8. The method of claim 1, wherein the barcode comprises a linear barcode or a matrix barcode.

9. A network security appliance comprising:
- a non-transitory storage device having embodied therein instructions representing a security application; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising;
  
  capturing network traffic associated with a protected network protected by the network security appliance, wherein the network traffic is originated by a source external to the protected network and is directed to an intended recipient associated with the protected network;
  
  extracting a media file from the network traffic;
  
  determining presence of a potentially malicious hidden data item embedded in the media file in a form of encoded data within one or more of a digital watermark, steganography and a barcode by decoding the encoded data by a decoding module of the security application;
  
  determining whether the decoded data violates one or more security policies of a plurality of security policies of the network appliance by applying a Uniform Resource Locator (URL) filter to the decoded data by a content inspection engine of the security application; and
  
  when said determining whether the decoded data violates one or more security policies is affirmative, then protecting the intended recipient against the potentially malicious hidden data item by one or more of (i) blocking transmission of the media file to the intended recipient, (ii) causing the intended recipient to be alerted regarding the potentially malicious hidden data item and (iii) causing a network administrator of the protected network to be alerted regarding the potentially malicious hidden data item.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The network security appliance of claim 9, wherein said determining presence of a potentially malicious hidden data item comprises matching a signature of the media file against a plurality of signatures of media files known to include unsafe hidden data.
  - 11. The network security appliance of claim 9, wherein the plurality of security policies includes a security policy containing information indicative of a URL known to be associated with malicious activities.
  - 12. The network security appliance of claim 9, wherein the plurality of security policies includes a security policy containing information indicative of a URL associated with a blocked website.
  - 13. The network security appliance of claim 9, wherein the plurality of security policies includes a security policy containing information indicative of a URL that redirects to a blocked website.
  - 14. The network security appliance of claim 9, wherein the media file comprises an image file.
  - 15. The network security appliance of claim 9, wherein the media file comprises video file.
  - 16. The network security appliance of claim 9, wherein the barcode comprises a linear barcode or a matrix barcode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Yan, Guoyi, Zheng, Juneng
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US15/132,879
Publication Number

US 20160234228A1
Time in Patent Office

119 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04N 1/32352   Controlling detectability o...

Filtering hidden data embedded in media files

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering hidden data embedded in media files

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links