System and method for risk rating and detecting redirection activities

US 8,869,271 B2
Filed: 02/02/2010
Issued: 10/21/2014
Est. Priority Date: 02/02/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, from a client device in a network environment, a first network address to be evaluated;

searching predetermined risk ratings in a memory element for a first predetermined risk rating associated with the first network address;

configuring, when none of the predetermined risk ratings indicates the first network address is malicious, a first request to the first network address to prevent a redirection to another network address from being followed;

sending the first request to the first network address;

determining whether a first response to the first request indicates a first redirection from the first network address to a second network address; and

searching the predetermined risk ratings for a second predetermined risk rating associated with the second network address if the first redirection from the first network address to the second network address is indicated in the first response,wherein, if the second predetermined risk rating is found and indicates the second network address is malicious, the first redirection is not followed and information is provided to the client device based on the second predetermined risk rating.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes sending a first request to a first network address on a first server and determining whether the first network address has been redirected on the server to a second network address. The method further includes searching a memory element for a predetermined risk rating associated with the second network address if the first network address has been redirected to the second network address. The method also includes providing a risk response to a client if a predetermined risk rating is found. In more specific embodiments, the risk response includes sending an alert to the client or blocking the client from accessing the second network address if the predetermined risk rating indicates the second network address is malicious. In other more specific embodiments, the first network address is redirected to one or more other network addresses before being redirected to the second network address.

20 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving, from a client device in a network environment, a first network address to be evaluated;
  
  searching predetermined risk ratings in a memory element for a first predetermined risk rating associated with the first network address;
  
  configuring, when none of the predetermined risk ratings indicates the first network address is malicious, a first request to the first network address to prevent a redirection to another network address from being followed;
  
  sending the first request to the first network address;
  
  determining whether a first response to the first request indicates a first redirection from the first network address to a second network address; and
  
  searching the predetermined risk ratings for a second predetermined risk rating associated with the second network address if the first redirection from the first network address to the second network address is indicated in the first response,wherein, if the second predetermined risk rating is found and indicates the second network address is malicious, the first redirection is not followed and information is provided to the client device based on the second predetermined risk rating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the providing the information based on the second predetermined risk rating comprises sending an alert to the client device.
  - 3. The method of claim 1, wherein the client device is blocked from accessing the second network address if the second predetermined risk rating indicates the second network address is malicious.
  - 4. The method of claim 1, wherein the first response includes a status code indicating whether the first network address has been redirected, wherein the first response includes the second network address if the status code indicates the first network address has been redirected.
  - 5. The method of claim 1, further comprising:
    - sending a second request to the second network address hosted on a second server device if the second predetermined risk rating is found and indicates the second network address is trustworthy;
      
      searching the predetermined risk ratings for a third predetermined risk rating associated with a third network address if a second response to the second request indicates a second redirection from the second network address to the third network address, wherein the second redirection is not followed if the third predetermined risk rating is found and indicates the third network address is malicious.
  - 6. The method of claim 1, further comprising:
    - sending the second network address to a malware analysis system for determining a new risk rating for the second network address if the memory element does not include a predetermined risk rating associated with the second network address.
  - 7. The method of claim 6, wherein the malware analysis system updates the memory element with the new risk rating and associates the new risk rating with the second network address.
  - 8. The method of claim 1, wherein the first network address is a Uniform Resource Locator (URL) link retrieved from a selected one of a group consisting of a web page, a document file, a media file, or a flash file.
  - 9. The method of claim 8, wherein the URL link is embedded in the web page, the document file, the media file or the flash file.

10. One or more non-transitory tangible media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- receiving, from a client device in a network environment, a first network address to be evaluated;
  
  searching predetermined risk ratings in a memory element for a first predetermined risk rating associated with the first network address;
  
  configuring, when none of the predetermined risk ratings indicates the first network address is malicious, a first request to the first network address to prevent a redirection to another network address from being followed;
  
  sending the first request to the first network address;
  
  determining whether a first response to the first request indicates a first redirection from the first network address has to a second network address; and
  
  searching the predetermined risk ratings for a second predetermined risk rating associated with the second network address if the first redirection from the first network address to the second network address is indicated in the first response,wherein, if the second predetermined risk rating is found and indicates the second network address is malicious, the first redirection is not followed and information is provided to the client device based on the second predetermined risk rating.
- View Dependent Claims (11, 12, 13, 17, 18)
- - 11. The one or more non-transitory tangible media of claim 10, wherein the first response includes a status code indicating whether the first network address has been redirected, wherein the first response includes the second network address if the status code indicates the first network address has been redirected.
  - 12. The one or more non-transitory tangible media of claim 10, the operations further comprising:
    - sending a second request to the second network address when the none of the predetermined risk ratings indicates the second network address is malicious; and
      
      searching the predetermined risk ratings for a third predetermined risk rating associated with a third network address if a second response to the second request indicates a second redirection from the second network address to the third network address, wherein the second redirection is not followed if the third predetermined risk rating is found and indicates the third network address is malicious.
  - 13. The one or more non-transitory tangible media of claim 10, wherein the first network address is a Uniform Resource Locator (URL) link retrieved from a selected one of a group comprising a web page, a document file, a media file, or a flash file.
  - 17. The one or more non-transitory tangible media of claim 10, the operations further comprising:
    - sending a second request to the second network address hosted on a second server device if none of the predetermined risk ratings is associated with the second network address;
      
      determining whether a second response to the second request indicates a second redirection from the second network address to a third network address; and
      
      updating the predetermined risk ratings with a new risk rating for the second network address, wherein the new risk rating indicates that the second network address is unknown if the second network address has not been redirected, and wherein the new risk rating indicates that the second network address is malicious if the second response indicates a second redirection from the second network address to the third network address and if the third network address is determined to be malicious.
  - 18. The one or more non-transitory tangible media of claim 10, the operations further comprising:
    - updating the predetermined risk ratings to indicate that the first network address is malicious if the second predetermined risk rating indicates the second network address is malicious.

14. An apparatus, comprising:
- a redirection module;
  
  a memory element configured to store one or more network addresses each having an associated risk rating; and
  
  a processor operable to execute instructions associated with the redirection module, including;
  
  receiving, from a client device in a network environment, a first network address to be evaluated;
  
  searching predetermined risk ratings in the memory element for a first predetermined risk rating associated with the first network address;
  
  configuring, when none of the predetermined risk ratings indicates the first network address is malicious, a first request to the first network address to prevent a redirection to another network address from being followed;
  
  sending the first request to the first network address;
  
  determining whether a first response to the first request indicates a first redirection from the first network address to a second network address; and
  
  searching the predetermined risk ratings for a second predetermined risk rating associated with the second network address if the first redirection from the first network address has been redirected to the second network address is indicated in the first response,wherein, if the second predetermined risk rating is found and indicates the second network address is malicious, the first redirection is not followed and information is provided to the client device based on the second predetermined risk rating.
- View Dependent Claims (15, 16, 19, 20)
- - 15. The apparatus of claim 14, wherein the first response includes a status code indicating whether the first network address has been redirected, wherein the first response includes the second network address if the status code indicates the first network address has been redirected.
  - 16. The apparatus of claim 14, wherein the processor is operable to perform further instructions, including sending the second network address to a malware analysis system for determining a new risk rating for the second network address if the memory element does not include a predetermined risk rating associated with the second network address.
  - 19. The apparatus of claim 14, wherein the processor is operable to execute further instructions associated with the redirection module, including:
    - sending a second request to the second network address when the none of the predetermined risk ratings indicates the second network address is malicious; and
      
      searching the predetermined risk ratings for a third predetermined risk rating associated with a third network address if a second response to the second request indicates a second redirection from the second network address to the third network address, wherein the second redirection is not followed if the third predetermined risk rating is found and indicates the third network address is malicious.
  - 20. The apparatus of claim 14, wherein the processor is operable to execute further instructions associated with the redirection module, including:
    - updating the predetermined risk ratings to indicate that the first network address is malicious if the second predetermined risk rating indicates the second network address is malicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Jayaraman, Shankar, Singh, Vikas, Sreedharan, Jayesh K.
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
TRAN, TRI MINH

Application Number

US12/698,922
Publication Number

US 20110191849A1
Time in Patent Office

1,722 Days
Field of Search

726 22- 26
US Class Current

726/22
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

H04L 67/02   based on web technology, e....

H04L 67/563   Data redirection of data ne...

System and method for risk rating and detecting redirection activities

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for risk rating and detecting redirection activities

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links