Distributed split browser content inspection and analysis

US 10,164,993 B2
Filed: 02/21/2017
Issued: 12/25/2018
Est. Priority Date: 06/16/2014
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method of detecting malware threats, the method comprising:

receiving over a network at a computer system from a first client browser, during a browsing session, a threat inspection request for a first item of content associated with a first webpage requested by the first client browser in accordance with configurable browser-based rules, the browser-based rules configured to selectively submit threat inspection requests, the first webpage comprising HTML layout information, the first item of content, associated with the first webpage, comprising embedded content received from a content source or a link in the first webpage to content, wherein the first client browser is hosted on a computing device remote from the computer system;

accessing, by the computer system, threat determination criteria;

based at least in part on the accessed threat determination criteria, determining by the computer system a malware indicator associated with whether the first item of content comprising embedded content received from a content source or a link in the first webpage to content, associated with the threat inspection request from the first client browser, comprises malware, wherein determining by the computer system a malware indicator associated with whether the first item of content comprises malware comprises generating a content hash for the first item of content and comparing the generated content hash for the first item of content with content hashes of known threats; and

transmitting by the computer system to the first client browser, from which the threat inspection request was received, the malware indicator, wherein the first client browser is configured to process the malware indicator.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Content inspection and analysis are described. A server stores a definition of sets of browser policies. A definition of one or more sets of users is stored. The server stores an association with a respective set of browser policies for the one or more sets of users. A request is received from a client browser associated with a user, wherein the client browser is configured to communicate with the server. The server determines which set of users the user is associated with. The server identifies a first set of browser policies that is associated with the determined set of users and applies the identified first set of browser policies to the request.

175 Citations

17 Claims

1. A computer-implemented method of detecting malware threats, the method comprising:
- receiving over a network at a computer system from a first client browser, during a browsing session, a threat inspection request for a first item of content associated with a first webpage requested by the first client browser in accordance with configurable browser-based rules, the browser-based rules configured to selectively submit threat inspection requests, the first webpage comprising HTML layout information, the first item of content, associated with the first webpage, comprising embedded content received from a content source or a link in the first webpage to content, wherein the first client browser is hosted on a computing device remote from the computer system;
  
  accessing, by the computer system, threat determination criteria;
  
  based at least in part on the accessed threat determination criteria, determining by the computer system a malware indicator associated with whether the first item of content comprising embedded content received from a content source or a link in the first webpage to content, associated with the threat inspection request from the first client browser, comprises malware, wherein determining by the computer system a malware indicator associated with whether the first item of content comprises malware comprises generating a content hash for the first item of content and comparing the generated content hash for the first item of content with content hashes of known threats; and
  
  transmitting by the computer system to the first client browser, from which the threat inspection request was received, the malware indicator, wherein the first client browser is configured to process the malware indicator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as defined in claim 1, wherein the malware indicator comprises a threat score.
  - 3. The method as defined in claim 1, wherein determining by the computer system a malware indicator, associated with whether the first item of content comprises malware, further comprises utilizing historical, crowd sourced data.
  - 4. The method as defined in claim 1, wherein determining by the computer system a malware indicator associated with whether the first item of content comprises malware further comprises analyzing a change in frequency of requests for the first item of content.
  - 5. The method of claim 1, wherein the client browser is configured to selectively request inspection of items of content based on one or more browser rules.
  - 6. The method of claim 1, the method further comprising configuring, by the computer system, the client browser with one or more rules configured to utilize the information associated with the indicator associated with whether the first item of content comprises malware in determining how the browser is to process the first item of content.
  - 7. The method of claim 1, wherein the client browser is configured to selectively request inspection of executable content and not to request inspection of non-executable content.
  - 8. The method of claim 1, wherein the client browser is configured to selectively request inspection of items of content based at least in part on how much processing power is needed to determine whether a given item of content is a risk.
  - 9. The method of claim 1, wherein the computing device remote from the computer system is a tablet computer.

10. A computer system, comprising:
- a computer data repository that stores threat criteria, said computer data repository comprising a non-transitory storage device;
  
  one or more computing devices, said computing system programmed to implement a threat detection system configured to;
  
  receive a threat inspection request from a first client browser, during a browsing session, for a first item of content associated with a first webpage requested by the first client browser in accordance with configurable browser-based rules, the browser-based rules configured to selectively submit threat inspection requests, the first webpage comprising HTML layout information, wherein the first client browser is hosted on a networked computing device remote from the threat inspection system;
  
  access threat determination criteria from the computer data repository;
  
  based at least in part on the threat determination criteria, determine a malware indicator associated with whether the first item of content, associated with the threat inspection request from the first client browser, comprises malware, wherein determining a malware indicator associated with whether the first item of content comprises malware comprises generation of a content hash for the first item of content and comparison of the generated content hash for the first item of content with content hashes of known threats; and
  
  transmit the malware indicator to the first client browser from which the threat inspection request was received, wherein the first client browser is configured to process the malware indicator.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer system as defined in claim 10, wherein the malware indicator comprises a threat score.
  - 12. The computer system as defined in claim 10, wherein the determination of a malware indicator, associated with whether the first item of content comprises malware, utilizes historical, crowd sourced data.
  - 13. The computer system as defined in claim 10, wherein the determination of a malware indicator, associated with whether the first item of content comprises malware, is based at least in part on a detection of a change in frequency of requests for the first item of content.
  - 14. The computer system as defined in claim 10, wherein the computer system is configured to configure the client browser with one or more rules configured to utilize the information associated with the indicator, associated with whether the first item of content comprises malware, in determining how the browser is to process the first item of content.

15. A computer storage system comprising a non-transitory storage device, said computer storage system having stored thereon executable program instructions that direct a computer system to at least:
- receive a threat inspection request from a first client browser, during a browsing session, for a first item of content associated with a first webpage requested by the first client browser in accordance with configurable browser-based rules, the browser-based rules configured to selectively submit threat inspection requests, the first webpage comprising HTML layout information, wherein the first client browser is hosted on a networked computing device remote from the computer system;
  
  access threat determination criteria;
  
  based at least in part on the threat determination criteria, determine malware indicator associated with whether the first item of content, associated with the threat inspection request from the first client browser, comprises malware, wherein determining a malware indicator associated with whether the first item of content comprises malware comprises generation of a content hash for the first item of content and comparison of the generated content hash for the first item of content with content hashes of known threats; and
  
  transmit the malware indicator to the first client browser, wherein the first client browser is configured to process the malware indicator.
- View Dependent Claims (16, 17)
- - 16. The computer storage system as defined in claim 15, wherein the malware indicator comprises a threat score.
  - 17. The computer storage system as defined in claim 15, wherein the determination of a malware indicator, associated with whether the first item of content comprises malware, utilizes historical, crowd sourced data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Warman, Leon Robert, Kufeld, Kurt, Vosshall, Peter Sven, Johansson, Jesper Mikael, Peterson, Kyle Bradley, Hill, Peter Frank
Primary Examiner(s)
Ho, Dao Q
Assistant Examiner(s)
Khan, Sher A

Application Number

US15/438,449
Publication Number

US 20170163675A1
Time in Patent Office

672 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 41/50   Network service management,...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

Distributed split browser content inspection and analysis

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

175 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed split browser content inspection and analysis

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links