Filtering hidden data embedded in media files

US 9,729,511 B2
Filed: 03/11/2017
Issued: 08/08/2017
Est. Priority Date: 04/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

capturing network traffic, by a network security device protecting a private network, wherein the network traffic is directed to an intended recipient associated with the private network;

extracting, by an Intrusion Prevention System (IPS) engine running on the network security device, a media file from the network traffic;

determining, by the IPS engine, presence of a potentially malicious hidden data item embedded in the media file, wherein the potentially malicious hidden data item comprises encoded data within one or more of a digital watermark, steganography and a barcode;

determining, by the IPS engine, whether the potentially malicious hidden data item violates a security policy of a plurality of security policies of the private network enforced by the network security device by decoding the encoded data and applying a content filter to a result of the decoding; and

when said determining, by the IPS engine, whether the potentially malicious hidden data item violates a security policy is affirmative, then (i) blocking transmission of the media file to the intended recipient, (ii) causing the intended recipient to be alerted regarding the violated security policy and (iii) causing a network administrator of the private network to be alerted regarding the violated security policy.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for filtering unsafe content by a network security device are provided. According to one embodiment, a network security device captures network traffic and extracts a media file from the network traffic. The network security device then determines the presence of a hidden data item embedded in the media file in a machine-readable form. When such a hidden data item is identified, the network security device performs one or more actions on the media file based on a predefined security policy.

14 Citations

View as Search Results

20 Claims

1. A method comprising:
- capturing network traffic, by a network security device protecting a private network, wherein the network traffic is directed to an intended recipient associated with the private network;
  
  extracting, by an Intrusion Prevention System (IPS) engine running on the network security device, a media file from the network traffic;
  
  determining, by the IPS engine, presence of a potentially malicious hidden data item embedded in the media file, wherein the potentially malicious hidden data item comprises encoded data within one or more of a digital watermark, steganography and a barcode;
  
  determining, by the IPS engine, whether the potentially malicious hidden data item violates a security policy of a plurality of security policies of the private network enforced by the network security device by decoding the encoded data and applying a content filter to a result of the decoding; and
  
  when said determining, by the IPS engine, whether the potentially malicious hidden data item violates a security policy is affirmative, then (i) blocking transmission of the media file to the intended recipient, (ii) causing the intended recipient to be alerted regarding the violated security policy and (iii) causing a network administrator of the private network to be alerted regarding the violated security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the content filter comprises a Uniform Resource Locator (URL) filter.
  - 3. The method of claim 2, wherein the security policy contains information indicative of a URL known to be associated with malicious activities.
  - 4. The method of claim 2, wherein the security policy contains information indicative of a URL associated with a blacklisted website.
  - 5. The method of claim 2, wherein the security policy contains information indicative of a URL that redirects to or is otherwise associated with a blacklisted website.
  - 6. The method of claim 1, wherein said determining, by the IPS engine, presence of a potentially malicious hidden data item comprises matching a signature of the media file against a plurality of signatures of media files known to include unsafe hidden data.
  - 7. The method of claim 1, wherein said determining, by the IPS engine, presence of a potentially malicious hidden data item comprises performing content inspection processing on the media file.
  - 8. The method of claim 1, wherein said determining, by the IPS engine, presence of a potentially malicious hidden data item comprises sending the media file or information regarding the media file to a remote or cloud-based network security appliance external to the private network.
  - 9. The method of claim 1, wherein the media file comprises an image file or a video file.
  - 10. The method of claim 1, wherein the barcode comprises a linear barcode or a matrix barcode.

11. A network security device comprising:
- a non-transitory storage device having embodied therein one or more modules of a firewall and an Intrusion Prevention System (IPS) engine; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the one or more modules to perform a method comprising;
  
  capturing, by the firewall, network traffic directed to an intended recipient associated with a private network protected by the network security device;
  
  extracting, by the IPS engine, a media file from the network traffic;
  
  determining, by the IPS engine, presence of a potentially malicious hidden data item embedded in the media file, wherein the potentially malicious hidden data item comprises encoded data within one or more of a digital watermark, steganography and a barcode;
  
  determining, by the IPS engine, whether the potentially malicious hidden data item violates a security policy of a plurality of security policies of the private network enforced by the network security device by decoding the encoded data and applying a content filter to a result of the decoding; and
  
  when said determining, by the IPS engine, whether the potentially malicious hidden data item violates a security policy is affirmative, then (i) blocking transmission of the media file to the intended recipient, (ii) causing the intended recipient to be alerted regarding the violated security policy and (iii) causing a network administrator of the private network to be alerted regarding the violated security policy.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The network security device of claim 11, wherein the content filter comprises a Uniform Resource Locator (URL) filter.
  - 13. The network security device of claim 12, wherein the security policy contains information indicative of a URL known to be associated with malicious activities.
  - 14. The network security device of claim 12, wherein the security policy contains information indicative of a URL associated with a blacklisted website.
  - 15. The network security device of claim 12, wherein the security policy contains information indicative of a URL that redirects to or is otherwise associated with a blacklisted website.
  - 16. The network security device of claim 11, wherein said determining, by the IPS engine, presence of a potentially malicious hidden data item comprises matching a signature of the media file against a plurality of signatures of media files known to include unsafe hidden data.
  - 17. The network security device of claim 11, wherein said determining, by the IPS engine, presence of a potentially malicious hidden data item comprises performing content inspection processing on the media file.
  - 18. The network security device of claim 11, wherein said determining, by the IPS engine, presence of a potentially malicious hidden data item comprises sending the media file or information regarding the media file to a remote or cloud-based network security appliance external to the private network.
  - 19. The network security device of claim 11, wherein the media file comprises an image file or a video file.
  - 20. The network security device of claim 11, wherein the barcode comprises a linear barcode or a matrix barcode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Yan, Guoyi, Zheng, Juneng
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US15/456,508
Publication Number

US 20170187683A1
Time in Patent Office

150 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04N 1/32352   Controlling detectability o...

Filtering hidden data embedded in media files

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering hidden data embedded in media files

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links