This topic describes the types of embedded malicious content that Content Moderation detects in images stored in Object Storage Service (OSS), explains how to configure a detection job, and shows how to view the results.
Supported types of embedded malicious content
OSS violation detection in Content Moderation supports the following two types of embedded malicious content. If your images are from other sources, you can use the Image Moderation Enhanced Edition API to run detection using the Malicious Image Detection service.
Type 1: Embedded video segments
Malicious actors embed fragmented video segments into images. These images typically have a low resolution but are several hundred kilobytes in size, allowing them to bypass file size limits in many applications. A binary analysis reveals that these are not standard image files. Although the file header may identify the file as a PNG, the body contains embedded resources. These images are often designed to be played using streaming protocols such as M3U8. The protocol can determine whether the file is playable by parsing the binary data for stream information.
Type 2: Embedded player code
Malicious actors inject JavaScript (JS) into an image and upload the image to OSS or a Content Delivery Network (CDN). They then distribute the image URL through illicit channels, such as gambling or adult websites. When a user accesses the URL, the embedded JS code detects the user's browser type and serves different content. For example, a mobile browser might render a video player, while a desktop browser is redirected to a non-existent file or receives an error. This technique helps evade standard web inspection tools.
Risk assessment
Malicious actors often distribute these images, leading to unauthorized use of your OSS bucket traffic. This results in sudden spikes in bandwidth or traffic consumption, causing unexpectedly high bills.
OSS uses a pay-as-you-go billing model. Due to factors such as billing cycles and processing delays, your services may not be suspended immediately when your account balance reaches zero. This can result in an overdue balance or a single bill that exceeds the credit limit that triggers service suspension.
To mitigate these risks, we recommend that you configure essential security settings for OSS. For more information, see Mitigate financial losses caused by malicious traffic.
Detect malicious content in OSS images
Prerequisites
You have activated Content Moderation Enhanced Edition. For more information, see Activation and billing.
You have activated OSS and created a bucket. For more information, see Activate OSS and Create a bucket.
Create a detection task
Log on to the Content Moderation console. In the left-side navigation pane, choose .
Create a detection task, such as an incremental, full, or scheduled detection task. For more information, see Configure an incremental detection job, Configure a full detection job, and Configure a scheduled detection job.
When you create the task, select Malicious Image Detection for the Detection Service parameter. This service can identify malicious images and lets you specify a scan range based on a time period and an object prefix.
View detection results
After the detection task is complete, you can view the results in the console or query the value of the label parameter in Log Service.
A
labelwith the valuerisk_videoAbuseindicates that the image may contain a hidden video.A
labelwith the valuerisk_playerAbuseindicates that the image may contain a hidden player.
In the console, you can query detection results from the last 180 days, and view or export up to 50,000 records. For more information, see Query the results of an incremental detection job, Query the results of a full detection job, and Query the results of a scheduled detection job.
All detection results are sent to Log Service. You can use Log Service to query, analyze, and process the data to identify risk trends and enable real-time monitoring. For more information, see Store OSS violation detection results in Log Service.
The following examples show sample results from Log Service queries.
{
"Result":
[
{
"Confidence": 100.0,
"Label": "risk_videoAbuse"// Indicates that the image may contain a hidden video.
}
],
"Service": "riskDetection",
"RequestId": "IS19FC-XXXXXXXX-XXXXXX-XXXXX253B5B"
}{
"Result":
[
{
"Confidence": 100.0,
"Label": "risk_playerAbuse"// Indicates that the image may contain a hidden player.
}
],
"Service": "riskDetection",
"RequestId": "26BE877B-XXXXXXXX-XXXXXX-XXXXXFF2694BD"
}