Patent Issued for Protection from Malicious Web Content

By a News Reporter-Staff News Editor at Life Science Weekly — From Alexandria, Virginia, NewsRx journalists report that a patent by the inventors Ben-Itzhak, Yuval (Brno, CZ); Mosher, Gregory Andrew (Marietta, GA), filed on July 9, 2010, was published online on July 1, 2014 (see also AVG Netherlands B.V.).
The patent’s assignee for patent number 8769690 is AVG Netherlands B.V. (Amsterdam, NL).
News editors obtained the following quote from the background information supplied by the inventors: “As the popularity of social-networking websites such as Facebook and MySpace continues to grow, many webhosts now display user-generated content and/or links to third-party content on the websites they host. In a typical scenario, a webhost designates a website to a user, and the user provides the content to be displayed at the designated website. The content can include text, audio, and video data, and instructions to access content located at one or more content sources. For example, the instructions can include a uniform resource locator (URL) link to a news article or to a restaurant review posted on a different website. The visitors to the user’s website, typically the user’s friends and acquaintances, but also strangers in some situations, can view and/or download the displayed content. They can also follow the links in the instructions to other content sources, and access content provided by those sources. In this way, a user can share his or her knowledge, information, and sources of entertainment with the user’s friends and others.
“Not all uses of such functionality are benign, however. Instances in which a user uploads malicious content such as a computer virus or malware on to the designated website are well documented. Some users also provide links to sources configured to infect a visitor’s computer with malicious content–sometimes purposefully, and other times unknowingly. When a visitor accesses the uploaded content or identified site, the malicious content can cause harm to the visitor’s computer or mobile device. For example, a virus may be downloaded onto the visitor’s computer and may destroy the visitor’s data. In other instances, a malware program may be covertly installed and, without authorization from the visitor, track her on-line activities.
“One way a visitor to another person’s webpage can protect himself is by installing commercially available virus/malware protection software. Such software typically detects malicious components in files being downloaded onto the visitor’s computer and prevents the download and/or alerts the visitor of the presence of the malicious component. Some malicious components, however, may go undetected by the virus/malware protection software. Moreover, this method requires an Internet user to actively purchase, install and maintain the most up-to-date version of a virus/malware protection software. If such a program is not installed, or is disabled–not an uncommon practice among many Internet users–virtually no protection is available to the visitor.
“Even if the most up-to-date virus/malware protection software is used, it only inspects files being downloaded, and does not inspect an electronic source (e.g., a webpage) associated with a link supplied by a third party. Such a webpage can be a phishing site (i.e., an unauthorized website masquerading as a different, authorized website). A visitor to a malicious content provider’s website may unsuspectingly follow a link to a phishing website, and may unintentionally reveal his or her personal information to an unauthorized party. A virus/malware protection software typically cannot provide protection in this situation.
“Another way to provide protection to visitors is to employ a scanning service to scan web pages on the Internet. This service can detect websites containing malicious components and/or phishing websites, and may report the detected websites, but usually cannot remove or disable such websites. Unless a visitor checks the report generated by such a service prior to visiting a webpage, either manually or automatically, the user is not protected from exposure to a malicious webpage. In addition, a website designated by a host to content provider is commonly password protected and although visitors registered with the host can visit the designated website, it cannot be scanned by a scanning service. As a result, the scanning service does not offer substantial protection to the visitors of the protected website.
“Finally, scanning services typically run only periodically, leaving a visitor vulnerable to exposure to recently uploaded malicious content. For example, a content provider may upload malicious content to his or her designated webpage. A person visiting the designated webpage soon thereafter, before a scanning service has scanned the designated webpage, would expose himself or herself to the malicious content. Thus, the scanning service generally does not provide real-time protection to visitors. Therefore, there is a need for improved systems and methods for providing protection to Internet users from malicious content present at sites accessible to them.”
As a supplement to the background information on this patent, NewsRx correspondents also obtained the inventors’ summary information for this patent: “In various embodiments of the present invention, protection is provided to visitors of web pages and viewers of online content. This is achieved, in part, by monitoring user-initiated instructions to access content at an electronic source. The content is scanned by the sender’s device before the instructions, links, or other embedded content are submitted to a host server and later displayed to potential site visitors. Scanning may include determining whether the content contains a computer virus or malware, appropriate text, and may also include determining whether the electronic source is an unauthentic, phishing website.
“In some instances, the portions of the scanning process may also be performed by components residing on a host server or provided by a third-party service interacting with client-resident scanning components. The electronic source may be a host server operated by a third-party, or, in some cases, may be the client node operated by the user sending the instructions. The client-resident scanning components may incorporate attributes of the scan results in the submitted instructions and/or embedded content for use by the components residing on the host server in further inspection. These attributes may include the scanning engine identity, user identity, scan results, and/or any other attribute that can be valuable to the host server.
“If the scanned content is deemed safe, an indication identifying it as such is associated with the content and can be presented to potential viewers of the content. Additionally, or in the alternative, if the content is deemed unsafe, the content and/or any of its components (e.g., a link) are marked as unsafe, alerting potential visitors of the presence of potentially harmful content. Because the monitoring and scanning operations may performed solely by the sender device, even instructions to access limited-access (e.g., password-protected) websites can be monitored and marked as unsafe if the sources accessible using these instructions are determined to be harmful. A visitor can choose not to access the likely harmful content, and hence, her computer remains protected from the content.
“A link in the provided instructions can also be replaced with an alternate link, and the alternate link displayed to or otherwise communicated to the visitor. When the visitor clicks on the alternate link, content at the source associated with the replaced link is scanned. Only if the scanned content is determined to be safe the visitor is directed to that source. One advantage of this technique is that the content source which the visitor expects to visit is inspected for malicious components substantially immediately before the visit, thereby ensuring that the source is safe at the time of the visit.
“Accordingly, in one aspect, a method for analyzing content for malicious components includes monitoring, at a sender device, a submission of electronic instructions. Content referenced in the instructions (either at a destination node or included the instructions) is accessed in response to the submitted instructions. The content is scanned for one or more malicious components to obtain a scan result and, based on the scan result, an indicator associated with the content indicating whether the content is deemed to be safe is presented with (and/or, in some cases, added to) the content.
“In some embodiments, the sender device sends the electronic instructions and the steps of monitoring, scanning, and presenting are performed by the sender device. In other embodiments, the sender device sends the electronic instructions and the steps of scanning and/or presenting are performed by a server. The sender device may also send the scanning results to the server for further scanning of the content, the scan results or both. The electronic instructions may include an instruction to visit a destination link, an instruction to view a multimedia file, and/or the content itself.
“The destination node (e.g., where the content ultimately resides) can be a content server, the sender device, a bulletin board service, a publicly accessible electronic content source, a repository and/or a database. In some embodiments, the instructions are posted at a host-server, which may also be a content server, a bulletin board service, and/or a publicly accessible electronic content source. In some cases the destination node itself may be the host-server.
“The content may include text data, audio data, image data, user-generated content, video data, and/or a link to content, and the presenting step may include displaying the content and the associated indicator in a webpage, an email, or a text message.
“According to a second aspect, a method is provided for analyzing content for malicious components, including monitoring, at a sender device, a submission of electronic instructions to access content. The instructions include a destination link to content at a destination node. The method also includes replacing the destination link with an alternate link, and presenting the alternate link to potential viewers of the content. In response to the viewer’s request to access content associated with the alternate link, content at the destination link and associated with the alternate link is scanned for one or more malicious components, a scan result is obtained, and the viewer is directed to the content at the destination link.
“In some embodiments, the monitoring and replacing steps are performed by the sender device and the scanning and directing steps are performed by a host-server to which the instructions are posted. The host-server may be a content server, a bulletin board service, and/or a publicly accessible electronic content source. The destination node can be a content server, a bulletin board service, a publicly accessible electronic content source, a repository, and a database. The destination node can also be a host-server where the instructions are posted.
“The electronic instructions may include an instruction to visit a webpage, an instruction to view a multimedia file, and/or the content, and the content may include text data, audio data, image data, video data, instructions to a computer, and/or a link to content. In some embodiments, the presenting step includes displaying the alternate link in a webpage.
“According to a third aspect, a system for analyzing content for malicious components includes a client device configured to facilitate electronic communications among individuals. The client device includes a monitor for monitoring submissions of electronic instructions to access content and a scanner to scan the content for one or more malicious components. Upon scanning the content, the scanner produces a scan result. The client device also includes a presenter for adding an indicator based on the scan result to be associated with the content when presented to potential viewers of the content.
“In some embodiments, the destination node is a content source, which can be a publically accessible electronic content source. The scanner can include a computer-virus scanner and/or a malware scanner.
“According to a fourth aspect, a system for analyzing content for malicious components includes a sender device that includes a monitor for monitoring electronic instructions to access a destination node. The instructions include a destination link to content at the destination node. The sender device also includes a presenter for presenting an alternate link associated with the destination link.
“The system further includes a host-server that includes a scanner to scan content at the destination node for one or more malicious components. When a user requests access to content associated with the alternate link, the scanner produces a scan result. A director, included in the host-server, directs the user to the content at the destination node according to the scan result, e.g., when the scanner determines that the content is not harmful.
“In some embodiments the destination node comprises a content source, and the content source may include a publically accessible electronic content source. The scanner may include a computer-virus scanner and/or a malware scanner. In some embodiments, the sending device also includes a scanner to scan content at the destination node for one or more malicious components to obtain a scan result and a presenter for presenting the destination link and an indicator associated with the destination link. The indicator is based on the scan result, and may indicate whether the content is determined to be safe.
“Other aspects and advantages of the invention will become apparent from the following drawings, detailed description, and claims, all of which illustrate the principles of the invention, by way of example only.”
For additional information on this patent, see: Ben-Itzhak, Yuval; Mosher, Gregory Andrew. Protection from Malicious Web Content. U.S. Patent Number 8769690, filed July 9, 2010, and published online on July 1, 2014. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=\%2Fnetahtml\%2FPTO\%2Fsrchnum.htm&r=1&f=G&l=50&s1=8769690.PN.&OS=PN/8769690RS=PN/8769690
Keywords for this news article include: Viruses, Software, Virology, AVG Netherlands B.V..
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC