Detecting computer security threats in electronic documents based on structure
First Claim
1. A data processing method providing an improvement in computer security, comprising:
- selecting, from a queue identifying a plurality of web pages, a particular web page to retrieve from one of a plurality of internet sources;
causing retrieving a copy of the particular web page from a particular internet source;
determining a hierarchical document object model (DOM) tree structure of the particular web page;
based upon the hierarchical DOM tree structure of the particular web page and independent of consideration of content of the particular web page, identifying one or more features, of links in the particular web page or files referenced in the particular web page, that indicate one or more security threats;
determining a reputation score for the particular web page based on the one or more features that indicate the one or more security threats;
determining a specified remediation measure, based upon the reputation score, to remediate a security threat that is identified in the particular web page;
providing the specified remediation measure to one or more of a compromised computer, a sensor computer and an enterprise computer.
5 Assignments
0 Petitions
Accused Products
Abstract
In an embodiment, a data processing method providing an improvement in computer security comprises selecting, from a queue identifying a plurality of web pages, a particular web page to retrieve from one of a plurality of internet sources; causing retrieving a copy of the particular web page from a particular internet source; determining a hierarchical structure of the particular web page; based upon a hierarchical structure of the particular web page and without consideration of content of the particular web page, identifying one or more features, of links in the particular web page or files referenced in the particular web page, that indicate one or more security threats; determining a reputation score for the particular web page; determining a specified remediation measure, based upon the reputation score, to remediate a security threat that is identified in the particular web page; providing the specified remediation measure to one or more of a compromised computer, a sensor computer and an enterprise computer.
-
Citations
20 Claims
-
1. A data processing method providing an improvement in computer security, comprising:
-
selecting, from a queue identifying a plurality of web pages, a particular web page to retrieve from one of a plurality of internet sources; causing retrieving a copy of the particular web page from a particular internet source; determining a hierarchical document object model (DOM) tree structure of the particular web page; based upon the hierarchical DOM tree structure of the particular web page and independent of consideration of content of the particular web page, identifying one or more features, of links in the particular web page or files referenced in the particular web page, that indicate one or more security threats; determining a reputation score for the particular web page based on the one or more features that indicate the one or more security threats; determining a specified remediation measure, based upon the reputation score, to remediate a security threat that is identified in the particular web page; providing the specified remediation measure to one or more of a compromised computer, a sensor computer and an enterprise computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A data processing system providing an improvement in computer security, comprising:
-
a plurality of sensor computers, each of which is coupled to different one among a plurality of compromised computers in geographically distributed locations, each of the compromised computers comprising at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers, wherein the compromised computers are logically between one or more attacker computers and the one or more enterprise networks or enterprise computers; a security control computer that is coupled to the sensor computers; one or more non-transitory data storage media in the security control computer storing security logic comprising one or more sequences of instructions which when executed cause the security control computer to perform; selecting, from a queue identifying a plurality of web pages, a particular web page to retrieve from one of a plurality of internet sources; causing retrieving a copy of the particular web page from a particular internet source; determining a hierarchical DOM tree structure of the particular web page; based upon a hierarchical DOM tree structure of the particular web page and independent of consideration of content of the particular web page, identifying one or more features, of links in the particular web page or files referenced in the particular web page, that indicate one or more security threats; determining a reputation score for the particular web page based on the one or more features that indicate the one or more security threats; determining a specified remediation measure, based upon the reputation score, to remediate a security threat that is identified in the particular web page; providing the specified remediation measure to one or more of a compromised computer, a sensor computer and an enterprise computer. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification