IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0178772
(2008-07-24)
|
등록번호 |
US-8286239
(2012-10-09)
|
발명자
/ 주소 |
|
출원인 / 주소 |
|
대리인 / 주소 |
|
인용정보 |
피인용 횟수 :
49 인용 특허 :
0 |
초록
▼
Systems, methods and apparatus for identifying web risks use a web risk service external to network edges of at least one system. The web risk service receives a web request from a computer within the at least one system, the web request identifying at least one network address. The web risk service
Systems, methods and apparatus for identifying web risks use a web risk service external to network edges of at least one system. The web risk service receives a web request from a computer within the at least one system, the web request identifying at least one network address. The web risk service determines a web risk index score for the at least one network address, and compares the determined web risk index score to at least one threshold value. Based on the comparison, the service determines how to handle the web request, e.g., by forwarding, blocking, and/or logging the web request.
대표청구항
▼
1. A network security system, comprising: a web risk service operating on a server comprising a processing node and external to network edges of at least one system, the web risk service configured to:receive a web request from a computer within the at least one system, the web request identifying a
1. A network security system, comprising: a web risk service operating on a server comprising a processing node and external to network edges of at least one system, the web risk service configured to:receive a web request from a computer within the at least one system, the web request identifying at least one network address;determine a web risk index score for the at least one network address, the web risk index score based on a third party analysis, a passive analysis comprising an in-line analysis of the web request in real time, and an active analysis comprising a plurality of queries to the at least one network address with each query configured to solicit a different response in order to identify separate risk information;compare the determined web risk index score to at least one threshold value;handle the web request based on the comparison; andprovide the determined web risk index score to an authority node such that the authority node shares the determined web risk index score with a plurality of additional processing nodes;wherein the web risk service operates at the processing node with all web requests from the computer sent over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection to the processing node. 2. The system of claim 1, wherein the web risk service is further configured to transmit a status of the web request to the computer. 3. The system of claim 1, wherein the web risk service is further configured to perform a lookup in at least one web risk table to determine the web risk index score. 4. The system of claim 3, wherein the at least one web risk table resides within the web risk service. 5. The system of claim 4, wherein the at least one web risk table comprises the values of one or more web risk indicators for a particular domain name, URL, or server identified by the web request. 6. The system of claim 1, wherein the web risk service is further configured to: identify a plurality of values, each of the plurality of values associated with a respective risk indicator based on the third party analysis, the passive analysis and the active analysis, wherein at least some of the identified plurality of values contribute to the web risk index score. 7. The system of claim 6, wherein the web risk service is configured to determine the web risk index score by calculating a weighted average of at least some of the identified plurality of values. 8. The system of claim 1, wherein: the third party analysis comprises utilizing datasets of known malicious sites and analyzing datasets comprising factual data to provide insight into potential risk;the passive analysis comprises an in-line analysis of the web request in real time to obfuscated code, client side vulnerabilities, common indications of malicious activity, and invalid certificates; andthe active analysis comprises queries sent by the server to identify vulnerable components and fingerprint web sites. 9. The system of claim 1, wherein the web risk service is configured to handle the web request by permitting, blocking, or permitting but logging the web request. 10. The system of claim 1, wherein the web risk service is configured to handle the web request by permitting the web request and providing a warning message for display on the computer. 11. A network security system, comprising: a web risk service operating between a plurality of servers and external to network edges of at least one system, the web risk service configured to:perform a third party analysis, a passive analysis, and an active analysis to determine a plurality of values identifying risk indicators;receive a web request from a computer within the at least one system, the web request identifying at least one network address;determine at least one value of the plurality of values identifying a risk indicator for the at least one network address;compare the at least one value to a definitive rule list;handle the web request based on the comparison; andprovide the risk indicator for the at least one network address to an authority node such that the authority node shares the risk indicator with a plurality of processing nodes;wherein the passive analysis comprises an in-line analysis of the web request in real time to obfuscated code, client side vulnerabilities, common indications of malicious activity, and invalid certificates;wherein the active analysis comprises a plurality of queries sent by the server to identify vulnerable components and fingerprint web sites, wherein each query is configured to solicit a different response in order to identify separate risk information;wherein the plurality of servers comprise at least one processing node with all web requests from the computer sent over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection to the at least processing node. 12. A method of malware detection, comprising: a server comprising a processing node receiving a web request from a computer within the at least one system over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection, the web request identifying at least one network address, wherein the computer is connected to an external network directly through the processing node;the server determining a web risk index score for the at least one network address, the web risk score based on a third party analysis, a passive analysis, and an active analysis;the server comparing the determined web risk index score to at least one threshold value;the server handling the web request based on the comparison; andproviding the determined web risk index score to an authority node such that the authority node shares the determined web risk index score with a plurality of additional processing nodes;wherein the passive analysis comprises an in-line analysis of the web request in real time to obfuscated code, client side vulnerabilities, common indications of malicious activity, and invalid certificates; andwherein the active analysis comprises a plurality of queries sent by the server to identify vulnerable components and fingerprint web sites, wherein each query is configured to solicit a different response in order to identify separate risk information. 13. The method of claim 12, further comprising transmitting a status of the web request to the computer. 14. The method of claim 12, further comprising performing a lookup in at least one web risk table to determine the web risk index score. 15. The method of claim 14, wherein the at least one web risk table comprises the values of one or more web risk indicators for a particular domain name, URL, or server identified by the web request. 16. The method of claim 12, further comprising identifying a plurality of values, each of the plurality of values associated with a respective risk indicator, wherein at least some of the identified plurality of values contribute to the web risk index score. 17. The method of claim 16, wherein determining the web risk index score comprises calculating a weighted average of at least some of the identified plurality of values. 18. The method of claim 12, wherein handling the web request comprises handling the web request by permitting, blocking, or permitting but logging the web request. 19. The method of claim 12, wherein handling the web request comprises handling the web request by permitting the web request and providing a warning message for display on the computer.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.