Identifying and managing web risks
First Claim
Patent Images
1. A network security system, comprising:
- a web risk service operating on a server comprising a processing node and external to network edges of at least one system, the web risk service configured to;
receive a web request from a computer within the at least one system, the web request identifying at least one network address;
determine a web risk index score for the at least one network address, the web risk index score based on a third party analysis, a passive analysis comprising an in-line analysis of the web request in real time, and an active analysis comprising a plurality of queries to the at least one network address with each query configured to solicit a different response in order to identify separate risk information;
compare the determined web risk index score to at least one threshold value;
handle the web request based on the comparison; and
provide the determined web risk index score to an authority node such that the authority node shares the determined web risk index score with a plurality of additional processing nodes;
wherein the web risk service operates at the processing node with all web requests from the computer sent over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection to the processing node.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods and apparatus for identifying web risks use a web risk service external to network edges of at least one system. The web risk service receives a web request from a computer within the at least one system, the web request identifying at least one network address. The web risk service determines a web risk index score for the at least one network address, and compares the determined web risk index score to at least one threshold value. Based on the comparison, the service determines how to handle the web request, e.g., by forwarding, blocking, and/or logging the web request.
-
Citations
19 Claims
-
1. A network security system, comprising:
-
a web risk service operating on a server comprising a processing node and external to network edges of at least one system, the web risk service configured to; receive a web request from a computer within the at least one system, the web request identifying at least one network address; determine a web risk index score for the at least one network address, the web risk index score based on a third party analysis, a passive analysis comprising an in-line analysis of the web request in real time, and an active analysis comprising a plurality of queries to the at least one network address with each query configured to solicit a different response in order to identify separate risk information; compare the determined web risk index score to at least one threshold value; handle the web request based on the comparison; and provide the determined web risk index score to an authority node such that the authority node shares the determined web risk index score with a plurality of additional processing nodes; wherein the web risk service operates at the processing node with all web requests from the computer sent over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection to the processing node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network security system, comprising:
-
a web risk service operating between a plurality of servers and external to network edges of at least one system, the web risk service configured to; perform a third party analysis, a passive analysis, and an active analysis to determine a plurality of values identifying risk indicators; receive a web request from a computer within the at least one system, the web request identifying at least one network address; determine at least one value of the plurality of values identifying a risk indicator for the at least one network address; compare the at least one value to a definitive rule list; handle the web request based on the comparison; and provide the risk indicator for the at least one network address to an authority node such that the authority node shares the risk indicator with a plurality of processing nodes; wherein the passive analysis comprises an in-line analysis of the web request in real time to obfuscated code, client side vulnerabilities, common indications of malicious activity, and invalid certificates; wherein the active analysis comprises a plurality of queries sent by the server to identify vulnerable components and fingerprint web sites, wherein each query is configured to solicit a different response in order to identify separate risk information; wherein the plurality of servers comprise at least one processing node with all web requests from the computer sent over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection to the at least processing node.
-
-
12. A method of malware detection, comprising:
-
a server comprising a processing node receiving a web request from a computer within the at least one system over the Internet via a tunnel, a transparent proxy, a forward proxy, or redirection, the web request identifying at least one network address, wherein the computer is connected to an external network directly through the processing node; the server determining a web risk index score for the at least one network address, the web risk score based on a third party analysis, a passive analysis, and an active analysis; the server comparing the determined web risk index score to at least one threshold value; the server handling the web request based on the comparison; and providing the determined web risk index score to an authority node such that the authority node shares the determined web risk index score with a plurality of additional processing nodes; wherein the passive analysis comprises an in-line analysis of the web request in real time to obfuscated code, client side vulnerabilities, common indications of malicious activity, and invalid certificates; and wherein the active analysis comprises a plurality of queries sent by the server to identify vulnerable components and fingerprint web sites, wherein each query is configured to solicit a different response in order to identify separate risk information. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification