Apparatus for monitoring network traffic
First Claim
1. A data processing apparatus, comprising:
- at least one processor;
a first network interface coupled to the processor and configured to be coupled to a protected network;
a second network interface coupled to the processor and configured to be coupled to an external network;
a traffic monitor comprising a database of addresses and domain names, a firewall rules manager, and a DNS snooper, wherein the traffic monitor is coupled to a blacklist and a whitelist, wherein the traffic monitor comprises logic which when executed causes the processor to perform;
receiving, from a client computer in the protected network, a request to access a resource in the external network;
blocking sending the request to the resource when a user agent of the client is identified in the blacklist as malicious software or when a file extension of a file in a response to the request is in the blacklist;
requesting, from an external web reputation service, and receiving a reputation score value indicating a reputation of the resource;
blocking sending the request to the resource when the reputation score is below a specified threshold;
determining that the reputation score value is between a first specified threshold for allowing requests and a second specified threshold for blocking requests;
in response to the determining, blocking sending the request to the resource when the request fails to pass a test indicating that malicious software is probably associated with the request.
1 Assignment
0 Petitions
Accused Products
Abstract
A data processing apparatus can perform HTTP traffic monitoring and filtering of HTTP requests from clients and responses from servers. Example apparatus comprises a processor, a first network interface to a protected network, a second network interface to an external network, and a traffic monitor having an address-domain name database, a firewall rules manager, and a DNS snooper. The traffic monitor accesses a blacklist and can perform receiving, from a client computer, a request to access a resource in the external network; blocking the request to the resource when a user agent of the client is in the blacklist as malicious software or when a file extension in a response to the request is in the blacklist; requesting, from a web reputation service, and receiving a reputation score indicating a reputation of the resource; blocking sending the request to the resource when the reputation is below a specified threshold.
456 Citations
18 Claims
-
1. A data processing apparatus, comprising:
-
at least one processor; a first network interface coupled to the processor and configured to be coupled to a protected network; a second network interface coupled to the processor and configured to be coupled to an external network; a traffic monitor comprising a database of addresses and domain names, a firewall rules manager, and a DNS snooper, wherein the traffic monitor is coupled to a blacklist and a whitelist, wherein the traffic monitor comprises logic which when executed causes the processor to perform; receiving, from a client computer in the protected network, a request to access a resource in the external network; blocking sending the request to the resource when a user agent of the client is identified in the blacklist as malicious software or when a file extension of a file in a response to the request is in the blacklist; requesting, from an external web reputation service, and receiving a reputation score value indicating a reputation of the resource; blocking sending the request to the resource when the reputation score is below a specified threshold; determining that the reputation score value is between a first specified threshold for allowing requests and a second specified threshold for blocking requests; in response to the determining, blocking sending the request to the resource when the request fails to pass a test indicating that malicious software is probably associated with the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A data processing apparatus, comprising:
-
at least one processor; a first network interface coupled to the processor and configured to be coupled to a protected network; a second network interface coupled to the processor and configured to be coupled to an external network; a traffic monitor comprising a database of addresses and domain names, a firewall rules manager, and a DNS snooper, wherein the traffic monitor is coupled to a blacklist and a whitelist, wherein the traffic monitor comprises; means for receiving, from a client computer in the protected network, a request to access a resource in the external network; means for blocking sending the request to the resource when a user agent of the client is identified in the blacklist as malicious software or when a file extension of a file in a response to the request is in the blacklist; means for requesting, from an external web reputation service, and receiving a reputation score value indicating a reputation of the resource; means for blocking sending the request to the resource when the reputation score is below a specified threshold; means for determining that the reputation score value is between a first specified threshold for allowing requests and a second specified threshold for blocking requests; means responsive to the determining means for blocking sending the request to the resource when the request fails to pass a test indicating that malicious software is probably associated with the request. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-readable volatile or non-volatile storage medium storing encoded thereon one more sequences of instructions which, when executed by at least one processor, cause the processor to perform:
-
initiating operation of a traffic monitor comprising a database of addresses and domain names, a firewall rules manager, and a DNS snooper, wherein the traffic monitor is coupled to a blacklist and a whitelist, wherein the traffic monitor is coupled to a first network interface that is coupled to the processor and configured to be coupled to a protected network, wherein the traffic monitor is coupled to a second network interface coupled to the processor and configured to be coupled to an external network; receiving, from a client computer in the protected network, a request to access a resource in the external network; blocking sending the request to the resource when a user agent of the client is identified in the blacklist as malicious software or when a file extension of a file in a response to the request is in the blacklist; requesting, from an external web reputation service, and receiving a reputation score value indicating a reputation of the resource; blocking sending the request to the resource when the reputation score is below a specified threshold; determining that the reputation score value is between a first specified threshold for allowing requests and a second specified threshold for blocking requests; in response to the determining, blocking sending the request to the resource when the request fails to pass a test indicating that malicious software is probably associated with the request. - View Dependent Claims (18)
-
Specification