Methods and systems for detecting unwanted web contents

US 9,811,664 B1
Filed: 08/15/2011
Issued: 11/07/2017
Est. Priority Date: 08/15/2011
Status: Active Grant

First Claim

Patent Images

1. A method of detecting unwanted web contents, the method to be performed by a first computer and a second computer that each comprises a processor and a memory, the method comprising:

the first computer receiving a first web page from a first website;

the first computer extracting a plurality of hypertext markup language (HTML) tags from the first web page;

the first computer generating page structure traits of the first web page by forming the plurality of HTML tags together into a pattern that comprises the plurality of HTML tags;

the first computer comparing the page structure traits of the first web page to page structure traits of a normal web page;

to prevent false positives, the first computer removing from the page structures of the first web page a feature that makes the page structure traits of the normal web page match the page structure traits of the first web page;

the second computer receiving the page structure traits of the first web page after the feature has been removed from the page structure traits of the first web page; and

the second computer detecting unwanted web content in a second web page received from a second website by comparing page structure traits of the second web page against the page structure traits of the first web page.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Unwanted web contents are detected in an endpoint computer. The endpoint computer receives a web page from a website. The reputation of the website is determined and the web page is scanned for malicious codes to protect the endpoint computer from web threats. To further protect the endpoint computer from web threats including mutating unwanted web contents, page structure traits of the web page are generated and compared to page structure traits of other web pages detected to contain unwanted web contents.

45 Citations

View as Search Results

13 Claims

1. A method of detecting unwanted web contents, the method to be performed by a first computer and a second computer that each comprises a processor and a memory, the method comprising:
- the first computer receiving a first web page from a first website;
  
  the first computer extracting a plurality of hypertext markup language (HTML) tags from the first web page;
  
  the first computer generating page structure traits of the first web page by forming the plurality of HTML tags together into a pattern that comprises the plurality of HTML tags;
  
  the first computer comparing the page structure traits of the first web page to page structure traits of a normal web page;
  
  to prevent false positives, the first computer removing from the page structures of the first web page a feature that makes the page structure traits of the normal web page match the page structure traits of the first web page;
  
  the second computer receiving the page structure traits of the first web page after the feature has been removed from the page structure traits of the first web page; and
  
  the second computer detecting unwanted web content in a second web page received from a second website by comparing page structure traits of the second web page against the page structure traits of the first web page.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the second web page is received by the second computer in response to determining that the second website has a good reputation, and the second computer compares the page structure traits of the second web page to the page structure traits of the first web page after determining that the second website has the good reputation.
  - 3. The method of claim 1, further comprising:
    - determining a reputation of the second website by consulting another computer that compares identifying information of the second website to identifying information of known malicious websites.
  - 4. The method of claim 1, wherein the pattern comprises the plurality of HTML tags extracted from the first web page but the pattern does not include any uniform resource locator (URL) from the first web page.
  - 5. The method of claim 1, wherein the pattern only includes the plurality of HTML tags.
  - 6. The method of claim 1, wherein page structure traits of other web pages are periodically received in the second computer.
  - 7. The method of claim 1, further comprising:
    - prior to the second computer detecting unwanted web content in the second web page, the second computer scanning the second web page for malicious codes, andwherein the second computer detects unwanted web content in the second web page in response to not detecting malicious codes in the second web page during the scanning of the second web page for malicious codes.
  - 8. The method of claim 1, further comprising:
    - the second computer providing the page structure traits of the second web page over a computer network to a feedback server computer when the web page is deemed to be containing unwanted web content.
  - 9. The method of claim 1, wherein the page structure traits of the first web page comprises the HTML tags concatenated together into a string.
  - 10. The method of claim 1, further comprising:
    - the first computer detecting that a third web page is another normal web page when the third webpage has page structure traits that match page structure traits of a fourth web page, and the third and fourth web pages are hosted under different domain names in different geographical locations but belonging to a same company.

11. A method of generating page structure traits for detecting unwanted web contents, the method to be performed by a server computer comprising a processor and a memory, the method comprising:
- the server computer retrieving web pages from a plurality of websites;
  
  the server computer analyzing the web pages for unwanted web contents;
  
  the server computer generating malicious page structure traits of web pages detected to have unwanted web contents based on the analysis of the web pages, each of the malicious page structure traits comprising a plurality of hypertext markup language (HTML) tags that are extracted from a corresponding web page and formed together into a pattern and matching page structure traits of a plurality of web pages;
  
  the server computer comparing the malicious page structure traits to normal page structure traits of normal web pages;
  
  to prevent false positives, the server computer removing from the malicious page structure traits features that make the normal page structure traits of normal web pages match the malicious page structure traits;
  
  after removing the features from the malicious page structure traits, the server computer providing the malicious page structure traits to a plurality of endpoint computers; and
  
  in the plurality of endpoint computers, comparing the malicious page structure traits to page structure traits of other web pages to detect unwanted web contents in the other web pages.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, further comprising:
    - the server computer receiving page structure traits of web pages received in the plurality of endpoint computers and having unwanted web contents.
  - 13. The method of claim 11, wherein each of the malicious page structure traits comprises extracted HTML tags that are concatenated together into a string.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Hsu, Cheng-Hsin, Pu, Peng-Shih, Chen, Chih-Chia, Su, Shr-An
Primary Examiner(s)
King, John B

Application Number

US13/209,807
Time in Patent Office

2,276 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Methods and systems for detecting unwanted web contents

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for detecting unwanted web contents

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links