Identifying and managing web risks

US 8,286,239 B1
Filed: 07/24/2008
Issued: 10/09/2012
Est. Priority Date: 07/24/2008
Status: Active Grant

First Claim

Patent Images

1. A network security system, comprising:

a web risk service operating on a server comprising a processing node and external to network edges of at least one system, the web risk service configured to;

receive a web request from a computer within the at least one system, the web request identifying at least one network address;

determine a web risk index score for the at least one network address, the web risk index score based on a third party analysis, a passive analysis comprising an in-line analysis of the web request in real time, and an active analysis comprising a plurality of queries to the at least one network address with each query configured to solicit a different response in order to identify separate risk information;

compare the determined web risk index score to at least one threshold value;

handle the web request based on the comparison; and

provide the determined web risk index score to an authority node such that the authority node shares the determined web risk index score with a plurality of additional processing nodes;

wherein the web risk service operates at the processing node with all web requests from the computer sent over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection to the processing node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for identifying web risks use a web risk service external to network edges of at least one system. The web risk service receives a web request from a computer within the at least one system, the web request identifying at least one network address. The web risk service determines a web risk index score for the at least one network address, and compares the determined web risk index score to at least one threshold value. Based on the comparison, the service determines how to handle the web request, e.g., by forwarding, blocking, and/or logging the web request.

Citations

19 Claims

1. A network security system, comprising:
- a web risk service operating on a server comprising a processing node and external to network edges of at least one system, the web risk service configured to;
  
  receive a web request from a computer within the at least one system, the web request identifying at least one network address;
  
  determine a web risk index score for the at least one network address, the web risk index score based on a third party analysis, a passive analysis comprising an in-line analysis of the web request in real time, and an active analysis comprising a plurality of queries to the at least one network address with each query configured to solicit a different response in order to identify separate risk information;
  
  compare the determined web risk index score to at least one threshold value;
  
  handle the web request based on the comparison; and
  
  provide the determined web risk index score to an authority node such that the authority node shares the determined web risk index score with a plurality of additional processing nodes;
  
  wherein the web risk service operates at the processing node with all web requests from the computer sent over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection to the processing node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the web risk service is further configured to transmit a status of the web request to the computer.
  - 3. The system of claim 1, wherein the web risk service is further configured to perform a lookup in at least one web risk table to determine the web risk index score.
  - 4. The system of claim 3, wherein the at least one web risk table resides within the web risk service.
  - 5. The system of claim 4, wherein the at least one web risk table comprises the values of one or more web risk indicators for a particular domain name, URL, or server identified by the web request.
  - 6. The system of claim 1, wherein the web risk service is further configured to:
    - identify a plurality of values, each of the plurality of values associated with a respective risk indicator based on the third party analysis, the passive analysis and the active analysis, wherein at least some of the identified plurality of values contribute to the web risk index score.
  - 7. The system of claim 6, wherein the web risk service is configured to determine the web risk index score by calculating a weighted average of at least some of the identified plurality of values.
  - 8. The system of claim 1, wherein:
    - the third party analysis comprises utilizing datasets of known malicious sites and analyzing datasets comprising factual data to provide insight into potential risk;
      
      the passive analysis comprises an in-line analysis of the web request in real time to obfuscated code, client side vulnerabilities, common indications of malicious activity, and invalid certificates; and
      
      the active analysis comprises queries sent by the server to identify vulnerable components and fingerprint web sites.
  - 9. The system of claim 1, wherein the web risk service is configured to handle the web request by permitting, blocking, or permitting but logging the web request.
  - 10. The system of claim 1, wherein the web risk service is configured to handle the web request by permitting the web request and providing a warning message for display on the computer.

11. A network security system, comprising:
- a web risk service operating between a plurality of servers and external to network edges of at least one system, the web risk service configured to;
  
  perform a third party analysis, a passive analysis, and an active analysis to determine a plurality of values identifying risk indicators;
  
  receive a web request from a computer within the at least one system, the web request identifying at least one network address;
  
  determine at least one value of the plurality of values identifying a risk indicator for the at least one network address;
  
  compare the at least one value to a definitive rule list;
  
  handle the web request based on the comparison; and
  
  provide the risk indicator for the at least one network address to an authority node such that the authority node shares the risk indicator with a plurality of processing nodes;
  
  wherein the passive analysis comprises an in-line analysis of the web request in real time to obfuscated code, client side vulnerabilities, common indications of malicious activity, and invalid certificates;
  
  wherein the active analysis comprises a plurality of queries sent by the server to identify vulnerable components and fingerprint web sites, wherein each query is configured to solicit a different response in order to identify separate risk information;
  
  wherein the plurality of servers comprise at least one processing node with all web requests from the computer sent over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection to the at least processing node.

12. A method of malware detection, comprising:
- a server comprising a processing node receiving a web request from a computer within the at least one system over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection, the web request identifying at least one network address, wherein the computer is connected to an external network directly through the processing node;
  
  the server determining a web risk index score for the at least one network address, the web risk score based on a third party analysis, a passive analysis, and an active analysis;
  
  the server comparing the determined web risk index score to at least one threshold value;
  
  the server handling the web request based on the comparison; and
  
  providing the determined web risk index score to an authority node such that the authority node shares the determined web risk index score with a plurality of additional processing nodes;
  
  wherein the passive analysis comprises an in-line analysis of the web request in real time to obfuscated code, client side vulnerabilities, common indications of malicious activity, and invalid certificates; and
  
  wherein the active analysis comprises a plurality of queries sent by the server to identify vulnerable components and fingerprint web sites, wherein each query is configured to solicit a different response in order to identify separate risk information.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12, further comprising transmitting a status of the web request to the computer.
  - 14. The method of claim 12, further comprising performing a lookup in at least one web risk table to determine the web risk index score.
  - 15. The method of claim 14, wherein the at least one web risk table comprises the values of one or more web risk indicators for a particular domain name, URL, or server identified by the web request.
  - 16. The method of claim 12, further comprising identifying a plurality of values, each of the plurality of values associated with a respective risk indicator, wherein at least some of the identified plurality of values contribute to the web risk index score.
  - 17. The method of claim 16, wherein determining the web risk index score comprises calculating a weighted average of at least some of the identified plurality of values.
  - 18. The method of claim 12, wherein handling the web request comprises handling the web request by permitting, blocking, or permitting but logging the web request.
  - 19. The method of claim 12, wherein handling the web request comprises handling the web request by permitting the web request and providing a warning message for display on the computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Sutton, Michael
Primary Examiner(s)
McNally, Michael S

Application Number

US12/178,772
Time in Patent Office

1,538 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/126   the source of the received ...

H04L 63/1416   Event detection, e.g. attac...

Identifying and managing web risks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying and managing web risks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links