WEB ELEMENT SPOOFING PREVENTION SYSTEM AND METHOD
First Claim
Patent Images
1. A method of inspecting Web elements for real-time classification and detection of Web elements spoofing attempts, comprising the steps of:
- (a) identifying trustworthy Web locations for generating a database of safe zones;
(b) for each inspected element, checking whether or not its top frame URL is included in said database, if it is included, classifying said element as suspected in Web elements location spoofing attempt;
(c) looking for patterns to identify known Web content in said element, if no visual consequences are identified, classifying said element as unknown;
(d) checking whether said known element is in an HTML frame or not, if it is in an HTML frame, classifying said element as unsafe;
(e) checking whether or not the URL of the element points to an expected location for serving its content, if the location is expected, classifying said element as suspected in Web elements location spoofing attempt;
(f) checking whether or not the URL host is an IP address, if it is not an IP address, classifying said element as unsafe;
(g) resolving said IP address to domain name; and
(h) checking whether or not said resolved URL points to an expected location, if the location is expected, classifying said element as safe, otherwise, classifying said element as unsafe.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of inspecting Web elements for real-time classification and detection of Web elements spoofing attempts, according to which trustworthy Web locations are identified for generating a database of safe zones. For each inspected element, it is checked whether or not its top frame URL is included in the database, and if it is included, the element is classified as suspected in Web elements location spoofing attempt.
253 Citations
10 Claims
-
1. A method of inspecting Web elements for real-time classification and detection of Web elements spoofing attempts, comprising the steps of:
-
(a) identifying trustworthy Web locations for generating a database of safe zones; (b) for each inspected element, checking whether or not its top frame URL is included in said database, if it is included, classifying said element as suspected in Web elements location spoofing attempt; (c) looking for patterns to identify known Web content in said element, if no visual consequences are identified, classifying said element as unknown; (d) checking whether said known element is in an HTML frame or not, if it is in an HTML frame, classifying said element as unsafe; (e) checking whether or not the URL of the element points to an expected location for serving its content, if the location is expected, classifying said element as suspected in Web elements location spoofing attempt; (f) checking whether or not the URL host is an IP address, if it is not an IP address, classifying said element as unsafe; (g) resolving said IP address to domain name; and (h) checking whether or not said resolved URL points to an expected location, if the location is expected, classifying said element as safe, otherwise, classifying said element as unsafe. - View Dependent Claims (3, 4, 5, 6, 7)
-
-
2. A method of inspecting Web traffic elements for real-time classification and detection of Web elements location spoofing attempts, comprising the steps of:
-
(a) checking whether or not the URL is an SSL encrypted location, if it is not an SSL encrypted location, resolving the IP address to which the Web browser is accessing to a domain name on a trusted DNS server; (b) comparing the returned domain name against the domain name in the URL, if the domain name matches the one on said URL, classifying said element as safe, else classifying said element as unsafe; (c) if the URL is an SSL encrypted location, checking whether or not the SSL certificate is valid, if the SSL certificate is not valid, resolving the IP address to a domain name and jumping to step (b); and (d) extracting the domain name from the certificate and comparing it against the domain name from the URL, if the domain names are not the same, the content is classified as unsafe, else, resolving the IP address to a domain name and jumping to step (b). - View Dependent Claims (8, 9, 10)
-
Specification