Filtering hidden data embedded in media files
First Claim
Patent Images
1. A method comprising:
- intercepting network traffic, by a network security device protecting a private network, directed to an intended recipient associated with the private network;
identifying, by the network security device, existence of a media file within the network traffic;
performing a pre-match inspection, by the network security device, of the media file by;
generating a signature of the media file; and
detecting presence of a potentially malicious hidden data item in a form of encoded data within one or more of a digital watermark, steganography and a barcode embedded in the media file by comparing the generated signature with a plurality of signatures of known unsafe media files;
when no threat is identified as being associated with the media file by the pre-match inspection, then determining, by the network security device, whether the potentially malicious hidden data item violates a security policy of a plurality of security policies of the private network enforced by the network security device by performing local content inspection processing of the media file by decoding the encoded data and applying a content filter to a result of said decoding;
when no threat is identified as being associated with the media file by the local content inspection processing, causing, by the network security device, a remote or cloud-based network security appliance external to the private network to perform further evaluation of the media file by sending the media file or the generated signature to the remote or cloud-based network security appliance;
when no threat is identified as being associated with the media file by the remote or cloud-based network security appliance, then allowing, by the network security device, the network traffic to be delivered to the intended recipient; and
when a threat is identified as being associated with the media file by any of the pre-match inspection, the local content evaluation and the remote or cloud-based network security appliance, then blocking, by the network security device, delivery of the network traffic to the intended recipient.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for filtering unsafe content by a network security device are provided. According to one embodiment, a network security device captures network traffic and extracts a media file from the network traffic. The network security device then determines the presence of a hidden data item embedded in the media file in a machine-readable form. When such a hidden data item is identified, the network security device performs one or more actions on the media file based on a predefined security policy.
14 Citations
18 Claims
-
1. A method comprising:
-
intercepting network traffic, by a network security device protecting a private network, directed to an intended recipient associated with the private network; identifying, by the network security device, existence of a media file within the network traffic; performing a pre-match inspection, by the network security device, of the media file by; generating a signature of the media file; and detecting presence of a potentially malicious hidden data item in a form of encoded data within one or more of a digital watermark, steganography and a barcode embedded in the media file by comparing the generated signature with a plurality of signatures of known unsafe media files; when no threat is identified as being associated with the media file by the pre-match inspection, then determining, by the network security device, whether the potentially malicious hidden data item violates a security policy of a plurality of security policies of the private network enforced by the network security device by performing local content inspection processing of the media file by decoding the encoded data and applying a content filter to a result of said decoding; when no threat is identified as being associated with the media file by the local content inspection processing, causing, by the network security device, a remote or cloud-based network security appliance external to the private network to perform further evaluation of the media file by sending the media file or the generated signature to the remote or cloud-based network security appliance; when no threat is identified as being associated with the media file by the remote or cloud-based network security appliance, then allowing, by the network security device, the network traffic to be delivered to the intended recipient; and when a threat is identified as being associated with the media file by any of the pre-match inspection, the local content evaluation and the remote or cloud-based network security appliance, then blocking, by the network security device, delivery of the network traffic to the intended recipient. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network security device comprising:
-
a non-transitory storage device having embodied therein one or more modules of a firewall and an Intrusion Prevention System (IPS) engine; and one or more processors coupled to the non-transitory storage device and operable to execute the one or more modules to perform a method comprising; intercepting network traffic directed to an intended recipient associated with a private network protected by the network security device; identifying existence of a media file within the network traffic; performing a pre-match inspection of the media file by; generating a signature of the media file; and detecting presence of a potentially malicious hidden data item in a form of encoded data within one or more of a digital watermark, steganography and a barcode embedded in the media file by comparing the generated signature with a plurality of signatures of known unsafe media files; when no threat is identified as being associated with the media file by the pre-match inspection, then determining whether the potentially malicious hidden data item violates a security policy of a plurality of security policies of the private network enforced by the network security device by performing local content inspection processing of the media file by decoding the encoded data and applying a content filter to a result of said decoding; when no threat is identified as being associated with the media file by the local content inspection processing, causing a remote or cloud-based network security appliance external to the private network to perform further evaluation of the media file by sending the media file or the generated signature to the remote or cloud-based network security appliance; when no threat is identified as being associated with the media file by the remote or cloud-based network security appliance, then allowing the network traffic to be delivered to the intended recipient; and when a threat is identified as being associated with the media file by any of the pre-match inspection, the local content evaluation and the remote or cloud-based network security appliance, then blocking delivery of the network traffic to the intended recipient. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification