SYSTEM AND METHOD FOR RISK RATING AND DETECTING REDIRECTION ACTIVITIES

US 20110191849A1
Filed: 02/02/2010
Published: 08/04/2011
Est. Priority Date: 02/02/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

sending a first request to a first network address on a first server device;

determining whether the first network address has been redirected at the first server device to a second network address;

searching a memory element for a predetermined risk rating associated with the second network address if the first network address has been redirected to the second network address; and

providing a risk response to a client device if a predetermined risk rating is found.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes sending a first request to a first network address on a first server and determining whether the first network address has been redirected on the server to a second network address. The method further includes searching a memory element for a predetermined risk rating associated with the second network address if the first network address has been redirected to the second network address. The method also includes providing a risk response to a client if a predetermined risk rating is found. In more specific embodiments, the risk response includes sending an alert to the client or blocking the client from accessing the second network address if the predetermined risk rating indicates the second network address is malicious. In other more specific embodiments, the first network address is redirected to one or more other network addresses before being redirected to the second network address.

116 Citations

20 Claims

1. A method, comprising:
- sending a first request to a first network address on a first server device;
  
  determining whether the first network address has been redirected at the first server device to a second network address;
  
  searching a memory element for a predetermined risk rating associated with the second network address if the first network address has been redirected to the second network address; and
  
  providing a risk response to a client device if a predetermined risk rating is found.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the risk response comprises sending an alert to the client device if the predetermined risk rating indicates the second network address is malicious.
  - 3. The method of claim 1, wherein the risk response comprises blocking the client device from accessing the second network address if the predetermined risk rating indicates the second network address is malicious.
  - 4. The method of claim 1, wherein the risk response comprises allowing the client device to access the second network address if the predetermined risk rating indicates the second network address is safe.
  - 5. The method of claim 1, wherein the determining whether the first network address has been redirected further comprises receiving a first response with a status code indicating whether the first network address has been redirected, wherein the first response includes the second network address if the status code indicates the first network address has been redirected.
  - 6. The method of claim 1, wherein the first network address is redirected to one or more other network addresses before being redirected to the second network address.
  - 7. The method of claim 6, further comprising:
    - searching the memory element for each of the one or more other network addresses to determine if a predetermined risk rating is associated with any of the one or more other network addresses; and
      
      sending an alert to a client device if a predetermined risk rating is found and if the predetermined risk rating indicates an associated network address is malicious.
  - 8. The method of claim 1 further comprising:
    - sending a second request to a second network address on a second server device if the predetermined risk rating is found, wherein the predetermined risk rating indicates the second network address is trustworthy.
  - 9. The method of claim 1, further comprising:
    - sending the second network address to a malware analysis system for determining a new risk rating for the second network address if the memory element does not include a predetermined risk rating associated with the second network address.
  - 10. The method of claim 9, wherein the malware analysis system updates the memory element with the new risk rating and associates the new risk rating with the second network address.
  - 11. The method of claim 1, wherein the first network address is a Uniform Resource Locator (URL) link retrieved from a selected one of a group consisting of a web page, a document file, a media file, or a flash file.
  - 12. The method of claim 8, wherein the URL link is embedded in the web page, the document file, the media file or the flash file.
  - 13. The method of claim 1, wherein the first request is a Hypertext Transfer Protocol (HTTP) HEAD request configured not to follow redirects.

14. Logic encoded in one or more tangible media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- sending a first request to a first network address on a first server device;
  
  determining whether the first network address has been redirected at the first server device to a second network address;
  
  searching a memory element for a predetermined risk rating associated with the second network address if the first network address has been redirected to the second network address; and
  
  providing a risk response to a client device if a predetermined risk rating is found.
- View Dependent Claims (15, 16, 17)
- - 15. The logic of claim 14 wherein the determining whether the first network address has been redirected further comprises receiving a first response with a status code indicating whether the first network address has been redirected, wherein the first response includes the second network address if the status code indicates the first network address has been redirected.
  - 16. The logic of claim 14, wherein the first network address is redirected to one or more other network addresses before being redirected to the second network address.
  - 17. The logic of claim 16, further comprising:
    - searching the memory element for each of the one or more other network addresses to determine if a predetermined risk rating is associated with any of the one or more other network addresses; and
      
      sending an alert to a client device if a predetermined risk rating is found and if the predetermined risk rating indicates an associated network address is malicious.

18. An apparatus, comprising:
- a redirection module;
  
  a memory element configured to store one or more network addresses each having an associated risk rating;
  
  a processor operable to execute instructions associated with the redirection module, including;
  
  sending a first request to a first network address on a first server device;
  
  determining whether the first network address has been redirected at the first server device to a second network address;
  
  searching the memory element for a predetermined risk rating associated with the second network address if the first network address has been redirected to the second network address; and
  
  providing a risk response to a client device if a predetermined risk rating is found.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18, wherein the determining whether the first network address has been redirected further comprises receiving a first response with a status code indicating whether the first network address has been redirected, wherein the first response includes the second network address if the status code indicates the first network address has been redirected.
  - 20. The apparatus of claim 18, wherein the processor is operable to perform further instructions, including sending the second network address to a malware analysis system for determining a new risk rating for the second network address if the memory element does not include a predetermined risk rating associated with the second network address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Jayaraman, Shankar, Singh, Vikas, Sreedharan, Jayesh K.

Granted Patent

US 8,869,271 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

H04L 67/02   based on web technology, e....

H04L 67/563   Data redirection of data ne...

SYSTEM AND METHOD FOR RISK RATING AND DETECTING REDIRECTION ACTIVITIES

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

116 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR RISK RATING AND DETECTING REDIRECTION ACTIVITIES

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

116 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others