WO2005091107A1 - Composant de securite pour application navigateur sur internet et procede et dispositif s'y rapportant - Google Patents

Composant de securite pour application navigateur sur internet et procede et dispositif s'y rapportant Download PDF

Info

Publication number
WO2005091107A1
WO2005091107A1 PCT/GB2005/000978 GB2005000978W WO2005091107A1 WO 2005091107 A1 WO2005091107 A1 WO 2005091107A1 GB 2005000978 W GB2005000978 W GB 2005000978W WO 2005091107 A1 WO2005091107 A1 WO 2005091107A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource locator
security
internet
security information
information
Prior art date
Application number
PCT/GB2005/000978
Other languages
English (en)
Inventor
Michael Hugh Prettejohn
Original Assignee
Netcraft Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB0405901A external-priority patent/GB2412189B/en
Application filed by Netcraft Limited filed Critical Netcraft Limited
Priority to US10/593,153 priority Critical patent/US20080172382A1/en
Publication of WO2005091107A1 publication Critical patent/WO2005091107A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6272Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database by registering files or documents with a third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Definitions

  • This invention relates to a security component for use with an Internet browser application.
  • the World Wide Web is frequently used not only for informational purposes but also for commercial transactions, for example Internet shopping.
  • various forms of computer crime such as theft of credit card details from e-commerce web sites, and fake or fraudulent e-mails and web sites are also becoming more widespread.
  • the fraudster constructs an HTML e-mail message with forged e-mail headers indicating that the e-mail has come from the bank, and asks for the recipient to confirm their bank account username and password.
  • the mail usually includes a link to a web server which opens a new window with the bank's own web site (not a copy, but the actual site), and asks for the account details in a separate window, hosted on the attacker's server.
  • Phishing web sites hosted at reasonably reputable hosting companies will usually be taken down quickly once complaints arrive. Therefore, the attacker's server will often be hosted at a company which is paid to ignore complaints about the fraud; some unscrupulous hosting companies in certain countries are known to sell "bullet proof hosting" as a service, meaning that they will endeavour to keep the site running despite requests to close it down from outside of their own jurisdiction.
  • the attacker's server may also be hosted on a computer that the attacker has broken into, without the owner's knowledge.
  • URL encoded usernames have never been widely used, with web sites typically using authentication details such as usernames and passwords and/or cookies to administer user sessions and state, and "@" in URLs has almost exclusively been used for tricks, jokes, and fraud attempts.
  • TM Microsoft's Internet Explorer
  • the '%01' characters exploits the bug in Microsoft's Internet Explorer web browser, thereby obscuring the appearance of the URL.
  • the encoded characters make it difficult for recipients to spot the "@" sign that gives away the concealed URL of the target web page.
  • the URL the user sees displayed in the browser window will be "http://ibank.barclays.co.uk”
  • the real URL of the web page being viewed is actually "http://www.newyersm.com:80/1 ogon.OO.php”.
  • Internet browser applications typically display an indication of whether a web page being accessed is "secure", that is to say, whether communication between the browser and the web server is encrypted.
  • the browser window of Microsoft's Internet Explorer comprises a status bar which, amongst other things, displays a lock symbol when an SSL web site is being accessed.
  • this information only indicates that the communication between the browser and the server is protected. Furthermore this information can easily be missed or ignored by the user, who may not be aware of its significance.
  • a user is particularly likely to fail to notice the absence of the lock symbol when visiting what appears to be a very familiar web site.
  • a fake web site is implemented as an SSL site, the lock symbol would be displayed, reassuring the user into believing that the site is safe.
  • the authentic web site of the financial institution is displayed, with a pop-up window requesting the relevant information.
  • a security component for use with an Internet browser application which displays Internet resources in response to resource locators specifying the Internet resources, the security component being adapted to operate alongside the Internet browser application at a user terminal; the security component comprising: means for storing a plurality of resource locator patterns, each resource locator pattern matching one or more resource locators relating to Internet resources known or believed to be associated with security risks; means for receiving a resource locator from the browser application; means for comparing the received resource locator to the stored resource locator patterns; and means for providing a security alert if the received resource locator matches one of the stored resource locator patterns.
  • the Internet browser application may, for example, be a web browser for browsing the World Wide Web.
  • the term "Internet resources" preferably includes any type of resource available on the Internet, including web pages (for example in HTML format), and other document and media files, such as audio and video data files.
  • Resource locators may, for example, be in the form of Uniform Resource Locators (URL). Resource locators may also be in the form of encoded representations of URLs. For example, part or all of the URL may be encoded as a check sum or hash code.
  • the resource locators are preferably character strings and the resource locator patterns are preferably character patterns. Character patterns preferably specify characters or character sequences, and a character pattern is preferably considered to match resource locators which include those characters or character sequences.
  • the security component is preferably adapted to process a pattern comprising one or more wildcards or placeholders.
  • a wildcard or placeholder may, for example, be used to match a pattern to a resource locator which includes an arbitrary character or character sequence in place of the wildcard or placeholder. This can allow for greater flexibility in specifying resource locators to which access is to be restricted, and can also allow resource locators containing unusual or suspicious characters to be identified, leading to improved security.
  • the component preferably further comprises means for transmitting a representation of the resource locator to a security information server, and means for receiving security information relating to the resource locator from the security information server. This can provide a more flexible way of obtaining security information relating to a resource locator.
  • the representation of the resource locator may simply be the resource locator itself, or may be an encoding of the resource locator, comprising, for example, a check sum or hash code of some or all of the resource locator.
  • the security information may suitably comprise a risk rating and/or IP registration information. In this way, suspicious resources can be more easily identified.
  • the alerting means may be adapted to prevent the Internet browser application from displaying the Internet resource specified by the resource locator.
  • a security component for use with an Internet browser application which displays Internet resources in response to resource locators specifying the Internet resources; the security component comprising means for receiving a resource locator from the browser application; means for transmitting a representation of the resource locator to a remote server; means for receiving IP registration information relating to the resource locator from the remote server; and means for displaying the IP registration information.
  • a security information server comprising: a database of security information relating to Internet locations; means for receiving a security information request comprising a representation of a resource locator from a user terminal; means for retrieving security information relating to the resource locator from the database; and means for transmitting the security information to the user terminal.
  • Internet location preferably refers to an Internet domain, sub-domain or host, to an IP address, to an Internet page or Internet site, or to any other suitable Internet information source unit.
  • the database may be adapted to store a plurality of resource locator patterns, each resource locator pattern matching one or more resource locators relating to Internet resources known or believed to be associated with security risks, the security information server preferably further comprising means for receiving pattern version information from a user terminal specifying the version of a local copy of the resource locator patterns held at the user terminal, and means for transmitting pattern update information to the user terminal in dependence on the version information to update the local copy of the resource locator patterns.
  • the security information server preferably further comprising means for receiving pattern version information from a user terminal specifying the version of a local copy of the resource locator patterns held at the user terminal, and means for transmitting pattern update information to the user terminal in dependence on the version information to update the local copy of the resource locator patterns.
  • the security information server preferably further comprises means for receiving an indication of a suspected security risk relating to a specified resource locator from a user terminal; and means for adding a resource locator pattern matching the specified resource locator to the stored resource locator patterns.
  • the database is preferably adapted to store information relating to suspected security vulnerabilities associated with an Internet location. This can enable a more accurate assessment of the security of an Internet location. For the same reason, the database is preferably adapted to store registration information relating to a plurality of IP addresses, and the retrieving means is adapted to retrieve registration information relating to an IP address associated with the received resource locator representation.
  • a method of providing security information to a user accessing via the Internet accounts for holding or managing money or other tokens of value comprising: storing domain names and/or IP address information relating to trusted Internet sites providing access to such accounts; receiving a resource locator specifying an Internet resource requested by the user; determining whether the resource locator relates to a trusted Internet site by comparing a domain name or IP address associated with the resource locator to the stored domain names and/or IP address information; and outputting a corresponding indication to the user if it is determined that the resource locator does relate to a trusted Internet site.
  • the invention also provides a plug-in or toolbar for an Internet browser application comprising a security component as described herein and/or adapted to carry out a method as described herein.
  • the invention also provides a computer program and a computer program product for carrying out any of the methods described herein and/or for embodying any of the apparatus features described herein, and a computer readable medium having stored thereon a program for carrying out any of the methods described herein and/or for embodying any of the apparatus features described herein.
  • the invention also provides a signal embodying a computer program for carrying out any of the methods described herein and/or for embodying any of the apparatus features described herein, a method of transmitting such a signal, and a computer product having an operating system which supports a computer program for carrying out any of the methods described herein and/or for embodying any of the apparatus features described herein.
  • the invention extends to methods and/or apparatus substantially as herein described with reference to the accompanying drawings. Any feature in one aspect of the invention may be applied to other aspects of the invention, in any appropriate combination. In particular, method aspects may be applied to apparatus aspects, and vice versa. Furthermore, features implemented in hardware may generally be implemented in software, and vice versa. Any reference to software and hardware features herein should be construed accordingly.
  • FIG. 1 gives an overview of the architecture of a security system
  • Figure 2 illustrates the security system of Figure 1 in greater detail
  • Figure 3 is a simplified representation of the visual appearance of a web browser window using a security toolbar
  • Figure 4 is a simplified representation of the visual appearance of the security toolbar of Figure 3
  • Figure 5 is a flow diagram illustrating the processing performed by the security toolbar
  • Figure 6 is a flow diagram illustrating the processing performed by a security information server.
  • the proposed security system takes the form of an extensible and adaptive web based database system. It is intended to defeat a popular form of fraudulent attack on web based banking systems, and also provide significant ancillary benefits in the form of additional security, an Internet-wide community or neighbourhood watch scheme, and considerably enhanced marketing opportunities.
  • the security system is illustrated in overview in Figure 1.
  • a plurality of user terminals 10 (for example, general purpose personal computers) are connected to a network 16, in the present example the Internet, through which they can access a variety of information.
  • An Internet browser application 12 (also referred to simply as a web browser) is provided on each terminal to manage the access to the resources available through the Internet, in particular via the World-Wide Web.
  • a security information server 18 is also connected to the Internet.
  • the security component 14 interacts with the web browser to provide security information to the user of the browser regarding web sites visited by the user.
  • the security component 14 performs a number of checks on any URL (Uniform Resource Locator) entered by the user. Firstly, the component 14 performs local checks to determine whether a URL matches certain criteria. Secondly, the component carries out remote checks by communicating with the security information server 18 via the Internet 16.
  • the security information server 18 stores information relating to the security of web sites on the Internet, which can be sent to the security component 14 on request. This information includes a blacklist of URLs or web sites which are known to have security risks associated with them, for example because they are involved in known phishing attacks. A local copy of this blacklist is held by the security component 14.
  • the security component 14 can provide security information to security information server 18, in particular by reporting web sites that the user considers to be suspicious. Such user feedback is stored in the database and is then available to other users of the system.
  • the security component 14 comprises a toolbar which can be integrated into the web browser application 12.
  • Toolbars are software components which provide a grouping of user interface features such as selection boxes, input fields and buttons, along with associated functionality. Toolbars can be provided as add-in components (also called "plug-ins”) to existing software applications to enhance the applications' functionality.
  • TM Netscape Navigator
  • TM Microsoft Internet Explorer
  • toolbars available for Microsoft Internet Explorer (TM) include the Alexa toolbar (developed by Alexa Internet) and the Google toolbar (provided by Google, Inc.).
  • the toolbar provides both local and remote checking of URLs requested by the user. Local checking involves determining whether the URL conforms to certain criteria, either by corresponding to a particular character pattern or by appearing in the local copy of the blacklist listing web sites associated with known risks. In particular, the local checks involve detecting suspicious characters or character patterns which might indicate that the URL is associated with some kind of fraud attempt.
  • the "@" and "%01" characters discussed above are examples of such characters.
  • the toolbar can trap these suspicious URLs, and highlight them as dangerous. It can further report such URLs to a central database managed by the security information server 18, from where they can in turn be reported to the bank and hosting locations as appropriate.
  • the local checks further include checking the URL against a locally held blacklist of Internet addresses known or suspected to be associated with security risks such as phishing attacks. Each URL visited by a user is checked against the local copy of this blacklist. If the URL visited is one which has been reported as suspicious by other users, or which has been identified as having a security risk associated with it, it will be found in the blacklist and a suitable warning message is then displayed.
  • a single character pattern matching mechanism may be provided to detect both suspicious characters and specific blacklisted URLs.
  • the toolbar also communicates with the security information server 18 to obtain additional information about each URL visited by the user (for example, the hosting location of the URL) and to obtain updates to the local copy of the blacklist from a master copy stored in a central database at the server 18.
  • the toolbar does not store a local copy of the blacklist. Instead, the toolbar reports each URL requested by a user to the server 18, where it is checked against the blacklist stored in the central database. If the reported URL is one which has been reported as suspicious by other users, this is immediately reported back to the toolbar to enable a warning message to be displayed.
  • the toolbar also provides a feedback mechanism with which users can report web sites which are considered suspicious to the security information server. These web sites can then be added to the central copy of the blacklist. Through periodic updates of locally held copies of the blacklist, individual toolbars are then made aware of this new security risk.
  • phishing attacks are usually carried out on a large scale (that is, the attackers will typically send many thousands or even millions of e-mails in the expectation that some will reach customers of the bank), means that the chance of a fraudulent web site being reported quickly is increased, which in turn expedites reporting of the fraud attempt to the bank or other organisation, its customers, and hosting locations.
  • the system comprises two main components: a security component that resides on each user computer and is active whenever the user is browsing the web using web browsing software (implemented, in the present example, as a toolbar) and a security information server including a database, which must be able to respond quickly to large numbers of requests as each of the system's users moves around the worldwide web.
  • a security component that resides on each user computer and is active whenever the user is browsing the web using web browsing software (implemented, in the present example, as a toolbar) and a security information server including a database, which must be able to respond quickly to large numbers of requests as each of the system's users moves around the worldwide web.
  • Toolbars are typically implemented using an API (application program interface) made available by the web browser provider, and/or toolbar building toolkits available from third party suppliers.
  • the toolbar may, for example, be implemented as a Browser Helper Object.
  • the central server (in practice, this can comprise multiple computers, potentially spread over multiple locations; it will be referred to herein simply as the central server, as it is a logical unit of functionality) maintains information on the state of the user community and the system's knowledge about URLs and sites visited by the community. Communication between the toolbar and the central server uses the HTTP protocol, as well as the SSL protocol (which is essentially encrypted HTTP) for any information where the sensitivity merits the computational overhead of the encryption operations.
  • user terminal 10 communicates with central server 18 via the Internet 16 in order to obtain security information relating to URLs visited by a user of the user terminal.
  • the user terminal 10 comprises a web browser application 12, for example Microsoft Internet Explorer (TM) or Netscape Navigator (TM).
  • the toolbar component 14 is associated with web browser 12 and communicates with the web browser to provide security information.
  • the toolbar component 14 maintains a pattern store 22, for storing one or more character patterns used to identify suspicious URLs.
  • the character patterns may, for example, specify particular characters or character sequences whose appearance in a URL may indicate a security risk.
  • the character patterns are used to identify both suspicious characters (such as the "@” and "%01" characters discussed above) and entire URLs to which access is to be restricted.
  • each character pattern specifies characters or character sequences, and may include wildcards. This allows greater flexibility in blocking not only specific characters and specific URLs, but also related groups of URLs. For example, a pattern such as "http://www.website.com/*". in which "*" is a wildcard, may be used to effectively block an entire website, since it will match any URL beginning with the text preceding the "*" wildcard. As a further example, in the pattern "http://*.website.com/*", the portion of the URL identifying the sub domain has been replaced by a wildcard.
  • a copy of the character patterns is also maintained by the toolbar component 14 and kept up to date by a periodic update procedure.
  • a user enters a URL into web browser 12 (for example by keyboard input or by clicking on a link).
  • the web browser 12 passes the URL to the toolbar component 14 for checking.
  • the toolbar performs both local and remote checks to obtain security information and to determine whether any security risks are associated with the URL entered.
  • the toolbar component attempts to match the URL against the character patterns stored locally in pattern store 22. If the URL matches one of the stored patterns, the user is alerted by display of relevant information in the toolbar, and the toolbar instructs the browser 12 not to proceed with loading the web site specified by the URL but to display suitable warning information instead.
  • the URL is thereby effectively blocked, though the user is given the opportunity to override the blocking and access the blocked site if required.
  • the toolbar sends a token representing the URL via the
  • the representation of the URL may simply be the URL string itself. However, for privacy reasons, it may not be desirable to report each URL in full to the security information server 18.
  • the toolbar therefore transmits an encoded representation of the URL.
  • the encoded representation comprises the protocol, host, domain and, if applicable, port information from the URL in clear text, together with a check sum or hash code of the remainder of the URL.
  • the URL "http://www.example.com/users/private” would be transmitted to the security information server as "http://www.example.com” in clear text together with a hash code or check sum of the remainder "/users/private".
  • the check sum or hash code may be generated using any suitable algorithm, such as, for example, MD5.
  • Security information server 18 looks up the representation of the URL in security information database 20 and returns any relevant security information relating to that URL. This may include information regarding known vulnerabilities, information relating to the hosting location of the URL and/or information regarding a risk level associated with the URL (calculated as described below). This information is displayed by the toolbar 14. Then, if the URL is not to be blocked, the toolbar instructs the web browser 12 to load and display the requested page.
  • FIG. 3 illustrates, in a simplified manner, the visual appearance of a web browser using a security toolbar as described herein.
  • the web browser executing on the user terminal displays a browser window 40, including common browser interface components such as a menu bar 42, an address bar 44 for entering and displaying URLs, a browsing toolbar 46 containing buttons for standard browsing functions such as back, forward, stop and home, and a page display area 48.
  • the user accesses a new web page typically either by entering a URL into address bar 44 or clicking a link in page display area 48 (other ways of selecting web pages may also be provided, for example by way of a "favourites" menu or history list).
  • the web browser then fetches the web page corresponding to the URL entered and displays it in display area 48.
  • the security toolbar 50 provides functions relating to URL checking and security information display.
  • Figure 4 illustrates the appearance of the toolbar in more detail, again in a simplified manner and purely by way of example.
  • Toolbar 50 comprises a logo display area 52 for displaying a name, logo or other indication of the toolbar provider. This may, for example, be a financial institution. In the present example, the (fictitious) name "FakeBank" is shown.
  • the toolbar further comprises a button 54 for reporting a suspicious web site and a further button 56 for requesting further security information relating to a web site.
  • a status display area 58 of the toolbar 50 provides a summary of the security status of the web site currently being accessed, stating whether any known security vulnerabilities are associated with the web site, giving a risk rating calculated for the web site (60), and giving the country (62) and name (64) of the company to which the IP address corresponding to the URL is registered.
  • the risk rating may, for example, be displayed in a graphical representation.
  • the country may, for example, be indicated by displaying a flag image.
  • the toolbar may also provide further functions, for example by way of further buttons or by way of a menu accessible by right-clicking on the toolbar.
  • the toolbar receives an event notification from the web browser when the user requests a new URL.
  • the toolbar then performs both local and remote checking on the URL, firstly by pattern matching against locally stored character patterns and secondly by obtaining security information from the security information server.
  • the security information server Upon receiving the event notification stating that a new URL has been requested, the toolbar attempts to match the URL against patterns of dangerous URLs.
  • patterns are supplied to the toolbar by the security information server.
  • patterns can be maintained through a general software update mechanism (as described below), or through a separate protocol of request/responses to the security information server.
  • this pattern matching is performed locally on the user's computer. This can also reduce vulnerability of the whole system to failure of the security information server (for example as a result of a malicious Denial of Service attack).
  • the pattern matching may also be performed centrally at the security information server, or the processing may be split, for example with the toolbar checking only for suspicious characters, and the server checking the URL against a URL blacklist. In that case, it may be sufficient for the toolbar to poll the security information server for updates to the patterns when the web browser application starts up.
  • phishing attacks often involve opening the authentic web page of the bank or other organisation in the background, with the fake web page relating to the attack displayed in the style of a pop-up window in front.
  • the pop-up window will usually suppress display of the menu bar, address bars and toolbars that are normally displayed in a browser window (as is usually the case for advertising pop-up windows and the like), so that the user cannot see the URL of the page being displayed and is led to assume that it, like the bank's web page behind, is authentic. Naturally, the user would also be unable to see the security toolbar in this case.
  • a further feature of the toolbar is therefore that it forces display of at least the address bar and security toolbar in every browser window, including pop-up windows.
  • the processing performed by the toolbar is summarised in Figure 5.
  • the toolbar receives a URL from the web browser for checking.
  • the toolbar compares the URL to the character patterns
  • a representation of the URL is then sent to the security information server in step 108.
  • This representation includes the protocol, name and port (if any) of the web site referred to by the URL as described above.
  • the toolbar also sends version information identifying the version of the local copy of the URL character patterns. This may, for example, identify the date and time at which the local copy of the patterns was last updated.
  • the toolbar receives a response from the security information server at step 110 in the form of security information relating to the URL.
  • the security information server may also send update information relating to the local copy of the URL character patterns. This may, for example, include any patterns which have changed or have been added to the master copy of the pattern list held at the security information server since the last update, and information identifying any patterns which have been removed from the master copy of the pattern list.
  • the toolbar updates its local copy of the patterns accordingly.
  • the security information received from the security information server is displayed in the status display area (58) of the toolbar in step 114.
  • the alerting of the user and blocking of the web page is achieved by displaying a warning message which has to be acknowledged by the user before the page can be displayed.
  • the warning message may, for example, include a statement that the page has been blocked and why, a link via which the user can report that the web page has, in the user's opinion, been incorrectly flagged as dangerous, and a link via which the user can gain access to the blocked page despite the security warning.
  • the warning message may, for example, be presented in the page display area 48 of the web browser window 40 in the form of a warning page displayed in place of the actual web page referred to by the URL. If the checks did not indicate that the web page should be blocked, then the web browser downloads and displays the requested page as normal.
  • the toolbar may cache the information received in respect of a particular web site for a short period, such as 5, 10 or 15 minutes, though longer periods may also be used (such as half an hour or an hour). In a preferred example, the toolbar caches the information for up to 14 minutes.
  • the toolbar also provides the following additional functionality: Version management: On start up the toolbar checks with a software update server to determine whether a new version of the toolbar is available, and offers to download and install the new version if this is the case (the software update server may be incorporated into the security information server or may be separate). Branding: The toolbar can further provide branding and navigational functionality relevant to the toolbar provider.
  • the provider of the overall security system and of the toolbar software could licence the toolbar and reporting functionality to organisations such as banks, financial institutions, and e-commerce companies, offering them the ability to brand the toolbar with their own logos, brands and identifying marks, to provide shortcuts to their own services and to bring new information and offers to the attention of its customers via the toolbar.
  • licensees would typically pay an annual licence fee for the services provided, for example based on the number of customers of the licensee using the services.
  • the toolbar can therefore provide an attractive branding and customer loyalty mechanism for the provider, keeping their logo and services on screen throughout the time the customer spends using the web.
  • Licence management For commercial flexibility, the opportunity to grant licences to organisations covering a particular time frame may be desirable. This can be achieved by providing licence management functionality, whereby the toolbar checks with a central server (such as the software update server described above) on start up to determine if a licence period has been exceeded, and disables the toolbar if it has. Tell a friend: The system provider may wish to encourage deployment of the toolbar to proliferate as quickly as possible. In this respect, the toolbar could include "Tell a friend" functionality to enable users to more conveniently recommend its adoption to their friends and colleagues, for example by way of automatic e-mailing to one or more e-mail addresses entered by the user.
  • the security information server 18 manages the security information database 20, which stores various types of security information relating to web sites and web pages, including the master copy of the list of URL character patterns used to identify potentially dangerous URLs, such as URLs which have been previously reported by the system's user community.
  • the toolbar 14 maintains its own local copy of this pattern list.
  • the security information server 18 also processes security information requests received from toolbars. Each such request includes a representation of the URL for which information is required. This representation typically includes the protocol, name and port (if any) of the web site referred to by the URL.
  • the server also performs the step of comparing this URL representation with the URL character patterns.
  • the patterns corresponding to URLs may be stored in a representation corresponding to the representation of URLs received from the toolbars, in which case a direct comparison may be performed.
  • the database may store reported URLs in clear text, in which case the comparison step may comprise generating the equivalent representation (including the check sum or hash code) of URLs specified in the pattern list and comparing the generated representation to the URL representation received. Normally the results of this comparison will be negative, in which case the browser continues its normal action.
  • the security information server 18 uses the received URL representation to retrieve security information relating to the web site in question from the security information database 20, and transmits this security information to the toolbar for display.
  • the security information server 50 comprises a button 54 for reporting web sites believed to be in some way suspicious.
  • a knowledgeable and experienced user visits a previously unreported URL that he believes to be related to a fraud such as a phishing attack, he can report this using the reporting button on the toolbar.
  • the security information server then records this information against the URL and may additionally flag the URL for review, highlight it as a threat to any other community members visiting the URL, or wait for corroborating reports from other members of the community, or review from a system administrator.
  • a reported URL can be added as a character pattern to the master copy of the character patterns stored in the security information database, from where it can then be passed to local copies stored by individual toolbar clients using the previously described update process.
  • the system operator may of course decide to add a generalised character pattern (e.g. using a wildcard) to capture not only the specific reported URL but also other URLs referring to the same web site.
  • the security information database stores information relating to the hosting location of web sites. More specifically, the database stores IP registration information relating to IP addresses, which includes information indicating the company or person to whom a given IP address (or IP address range) is registered. For a given URL, the IP address of the host on which the web page referred to by the URL resides can be determined by DNS server lookup. Registration information relating to that IP address can then be obtained from the security information database.
  • the security vulnerability information relating to a given URL could be obtained dynamically by carrying out a vulnerability assessment in response to a request received from a toolbar, for efficiency and performance reasons it is preferable to perform assessments independently of the requests and to store the resulting vulnerability information in the database.
  • the security information server could perform vulnerability assessments on a daily basis, assessing any new web sites visited by users during the last day, as well as any existing web sites for which vulnerability information is already stored in the database, but which are due to be re- evaluated.
  • the security information server could perform a dynamic vulnerability assessment only on those web sites for which information is not already available in the database.
  • the hosting location information, vulnerability information and risk assessment / risk rating information associated with a URL is transmitted to the toolbar where it is displayed.
  • the status display area 58 of toolbar 50 displays a risk rating (60) (in this example, a rating of 5 on a scale of 0 to 8, represented graphically) and indicates that no known vulnerabilities are associated with the present web site (61) and that the IP address of the page being viewed is registered to "FakeBank pic.” (64) in Great Britain (62).
  • the processing performed by the security information server in response to an information request received from a toolbar is summarised in Figure 6.
  • the security information server receives a request containing a representation of a URL to be checked, along with version information identifying the version of the local copy of the URL character patterns held by the toolbar in pattern store 22.
  • the server compares the version of the local copy held by the toolbar with the version of the master list stored in security information database 20. If the toolbar is holding an out-of-date copy, updates are sent to bring the client up-to-date at step 206.
  • the server performs a DNS lookup to determine the IP address associated with the URL (this being the IP address of the host referred to by the URL). It then retrieves IP registration information relating to the IP address from the database in step 210, in particular the name and country of the company to whom the IP address is registered. The country can, for example, be derived from the dialling code of a company telephone contact number given in the registration information, if the registration information does not itself indicate the country.
  • the server retrieves vulnerability information relating to the web site from the database. This may be recorded in the database either against the domain and host name or the IP address of the web site referred to by the URL and looked up accordingly. Additionally, the server constructs the risk rating assessment relating to the web site. This may be calculated dynamically in response to the request or may be obtained from previously calculated risk rating information stored in the database. A response comprising the security information is then transmitted to the toolbar at step 214, where the information is displayed to the user. In alternative embodiments where a copy of the URL character patterns is not held locally at the toolbar, the server also compares the URL representation to the pattern list stored in the database, and transmits an alert in case of a match.
  • the security information transmitted at step 214 is only a summary of the information available in the database.
  • the security information server may simply indicate whether or how many security vulnerabilities are associated with a given web site, or whether a given web site should be considered a risk.
  • the user can request more detailed information, such as the exact types of any vulnerabilities detected, and detailed information concerning the organisation hosting the web site. Due to the limited screen space available to the toolbar, this detailed information may, for example, be displayed in the form of an HTML page in page display area 48 rather than in the toolbar itself.
  • the icon may be displayed if either the domain name or the IP address can be matched, or may only be displayed if both domain name and IP address can be matched. If neither the domain name nor the IP address are found in the database (or alternatively only one of them), then the icon is not displayed. If the user believes that he is accessing a banking web site, then the absence of the graphical icon in the toolbar should alert the user to the fact that the web site being accessed is not known to the system and therefore may not be genuine. Alternatively, a negative indication could be displayed.
  • the database is populated with details of the domain names and IP address ranges registered to and used by known banks and similar organisations. This information may be obtained directly from the organisations concerned. Since this information may change over time as new domain names and IP addresses are allocated, it is necessary to update the information regularly. To achieve this, the system may regularly look up the IP addresses associated with known domain names and add them to the IP address list if not already there.
  • the toolbar provider can thereby obtain valuable information about the behaviour of their customers on the World Wide Web.
  • important aspects of the security system described include: • Trapping of suspicious URLs containing characters which have no common purpose other than to deceive. • Convenience of reporting the fraud to the bank and to the hosting location. • Community watch behaviour of the system making warnings about fraudulent URLs immediately available to the rest of the community via display on the toolbar. Supervisor validation or a voting system can be used to reduce and eliminate the impact of false reporting of URLs. • Clear display of sites' hosting location at all times while the user browses the web. • Indication of security vulnerabilities and risk assessments or risk ratings relating to sites visited.
  • the security information server could perform all URL checking tasks including the character pattern matching.
  • the security information (such as the hosting location and vulnerability information described above) could be provided to the toolbar only on request, possibly under control of the information button on the toolbar.
  • a separate software component could also be used which intercepts URL requests output by the browser. This could, for example, work at the operating system level.
  • a URL rewriting proxy could also fulfil the functionality of the toolbar, and provide facilities independent of particular operating system and browser software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Cette invention concerne un composant de sécurité destiné à être utilisé avec une application navigateur sur Internet, qui affiche des ressources Internet en réponse à la réception de localisateurs de ressources précisant des ressources Internet. Le composant de sécurité comprend des moyens de réception d'un localisateur de ressources en provenant d'une application navigateur et des moyens déclenchant une alarme de sécurité si le localisateur de ressources remplit un ou plusieurs critères. Le composant de sécurité peut être un module d'extension ou une barre d'outil pour une application navigateur Internet. Sont également décrits un serveur d'informations de sécurité et un procédé de fourniture d'informations de sécurité.
PCT/GB2005/000978 2004-03-16 2005-03-15 Composant de securite pour application navigateur sur internet et procede et dispositif s'y rapportant WO2005091107A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/593,153 US20080172382A1 (en) 2004-03-16 2005-03-15 Security Component for Use With an Internet Browser Application and Method and Apparatus Associated Therewith

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB0405901A GB2412189B (en) 2004-03-16 2004-03-16 Security component for use with an internet browser application and method and apparatus associated therewith
GB0405901.0 2004-03-16
GB0416612.0 2004-07-26
GBGB0416612.0A GB0416612D0 (en) 2004-03-16 2004-07-26 Security component for use with an internet browser application and method and apparatus associated therewith

Publications (1)

Publication Number Publication Date
WO2005091107A1 true WO2005091107A1 (fr) 2005-09-29

Family

ID=34962963

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2005/000978 WO2005091107A1 (fr) 2004-03-16 2005-03-15 Composant de securite pour application navigateur sur internet et procede et dispositif s'y rapportant

Country Status (1)

Country Link
WO (1) WO2005091107A1 (fr)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007072320A2 (fr) * 2005-12-23 2007-06-28 International Business Machines Corporation Methode d'evaluation d'une adresse reseau et d'acces a une adresse reseau
WO2007136665A2 (fr) 2006-05-19 2007-11-29 Cisco Ironport Systems Llc Procédé et appareil destinés à contrôler l'accès à des ressources réseau en fonction d'une réputation
US20080060062A1 (en) * 2006-08-31 2008-03-06 Robert B Lord Methods and systems for preventing information theft
DE102007013339A1 (de) 2007-03-20 2008-09-25 Giesecke & Devrient Gmbh Portabler Datenträger als Web-Server
EP2017758A1 (fr) * 2007-07-02 2009-01-21 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Système et procédé informatiques destinés à la vérification du contenu
WO2009009859A1 (fr) * 2007-07-13 2009-01-22 Von Arx Kim G Système et procédé pour fournir des services en ligne à l'aide de noms de domaine enregistrés et individualisés
FR2954547A1 (fr) * 2009-12-21 2011-06-24 Alcatel Lucent Procede de detection d’un detournement de ressources informatiques
CN102385583A (zh) * 2010-08-31 2012-03-21 腾讯科技(深圳)有限公司 一种控制浏览器打开窗口的方法及网页浏览器
US8245049B2 (en) 2004-06-14 2012-08-14 Microsoft Corporation Method and system for validating access to a group of related elements
CN102932335A (zh) * 2012-10-17 2013-02-13 北京奇虎科技有限公司 在浏览器处呈现网站的相关信息的方法和浏览器
US8646029B2 (en) 2011-05-24 2014-02-04 Microsoft Corporation Security model for a layout engine and scripting engine
US8839418B2 (en) * 2006-01-18 2014-09-16 Microsoft Corporation Finding phishing sites
GB2517021A (en) * 2013-05-13 2015-02-11 Appsense Ltd Context transfer from web page to application
US9167052B2 (en) 2013-05-13 2015-10-20 Appsense Limited Apparatus, systems, and methods for providing policy in network-based applications
US9342274B2 (en) 2011-05-19 2016-05-17 Microsoft Technology Licensing, Llc Dynamic code generation and memory management for component object model data constructs
US9430452B2 (en) 2013-06-06 2016-08-30 Microsoft Technology Licensing, Llc Memory model for a layout engine and scripting engine
US9479525B2 (en) 2014-10-23 2016-10-25 International Business Machines Corporation Interacting with a remote server over a network to determine whether to allow data exchange with a resource at the remote server
US9912720B2 (en) 2013-05-13 2018-03-06 Appsense Us Llc Context aware browser policy
US10291615B2 (en) 2013-05-13 2019-05-14 Ivanti Us Llc Web event framework

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5884033A (en) * 1996-05-15 1999-03-16 Spyglass, Inc. Internet filtering system for filtering data transferred over the internet utilizing immediate and deferred filtering actions
WO2001059594A2 (fr) * 2000-02-08 2001-08-16 Harris Corporation Systeme et procede permettant l'evaluation d'une posture de securite d'un reseau appliquant des regles de decision en logique floue orientees but
US20030014659A1 (en) * 2001-07-16 2003-01-16 Koninklijke Philips Electronics N.V. Personalized filter for Web browsing
US20030033231A1 (en) * 2001-08-09 2003-02-13 Jonathan Turner System and methods for providing financial account information over a network
US20030126267A1 (en) * 2001-12-27 2003-07-03 Koninklijke Philips Electronics N.V. Method and apparatus for preventing access to inappropriate content over a network based on audio or visual content
US20030233581A1 (en) * 2000-03-03 2003-12-18 Eran Reshef System for determining web application vulnerabilities

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5884033A (en) * 1996-05-15 1999-03-16 Spyglass, Inc. Internet filtering system for filtering data transferred over the internet utilizing immediate and deferred filtering actions
WO2001059594A2 (fr) * 2000-02-08 2001-08-16 Harris Corporation Systeme et procede permettant l'evaluation d'une posture de securite d'un reseau appliquant des regles de decision en logique floue orientees but
US20030233581A1 (en) * 2000-03-03 2003-12-18 Eran Reshef System for determining web application vulnerabilities
US20030014659A1 (en) * 2001-07-16 2003-01-16 Koninklijke Philips Electronics N.V. Personalized filter for Web browsing
US20030033231A1 (en) * 2001-08-09 2003-02-13 Jonathan Turner System and methods for providing financial account information over a network
US20030126267A1 (en) * 2001-12-27 2003-07-03 Koninklijke Philips Electronics N.V. Method and apparatus for preventing access to inappropriate content over a network based on audio or visual content

Cited By (49)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8601278B2 (en) 2004-06-14 2013-12-03 Microsoft Corporation Validating access to a group of related elements
US8245049B2 (en) 2004-06-14 2012-08-14 Microsoft Corporation Method and system for validating access to a group of related elements
JP2009521047A (ja) * 2005-12-23 2009-05-28 インターナショナル・ビジネス・マシーンズ・コーポレーション ネットワーク・アドレスを評価し、アクセスするための方法
WO2007072320A3 (fr) * 2005-12-23 2007-09-20 Ibm Methode d'evaluation d'une adresse reseau et d'acces a une adresse reseau
US8201259B2 (en) 2005-12-23 2012-06-12 International Business Machines Corporation Method for evaluating and accessing a network address
WO2007072320A2 (fr) * 2005-12-23 2007-06-28 International Business Machines Corporation Methode d'evaluation d'une adresse reseau et d'acces a une adresse reseau
KR100935776B1 (ko) * 2005-12-23 2010-01-06 인터내셔널 비지네스 머신즈 코포레이션 네트워크 어드레스 평가 방법, 컴퓨터 판독 가능한 기록 매체, 컴퓨터 시스템, 네트워크 어드레스 액세스 방법, 컴퓨터 인프라를 활용하는 방법 및 기업의 네트워크 통신 트래픽의 분석을 수행하는 방법
US8839418B2 (en) * 2006-01-18 2014-09-16 Microsoft Corporation Finding phishing sites
EP2033108A2 (fr) * 2006-05-19 2009-03-11 Cisco Ironport Systems LLC Procédé et appareil destinés à contrôler l'accès à des ressources réseau en fonction d'une réputation
EP2033108A4 (fr) * 2006-05-19 2014-07-23 Cisco Ironport Systems Llc Procédé et appareil destinés à contrôler l'accès à des ressources réseau en fonction d'une réputation
WO2007136665A2 (fr) 2006-05-19 2007-11-29 Cisco Ironport Systems Llc Procédé et appareil destinés à contrôler l'accès à des ressources réseau en fonction d'une réputation
US20080060062A1 (en) * 2006-08-31 2008-03-06 Robert B Lord Methods and systems for preventing information theft
US8386913B2 (en) 2007-03-20 2013-02-26 Giesecke & Devrient Gmbh Portable data carrier as a web server
WO2008113599A3 (fr) * 2007-03-20 2009-02-05 Giesecke & Devrient Gmbh Supports de données portatifs en tant que serveurs web
US9137296B2 (en) 2007-03-20 2015-09-15 Giesecke & Devrient Gmbh Portable data carrier as a web server
DE102007013339A1 (de) 2007-03-20 2008-09-25 Giesecke & Devrient Gmbh Portabler Datenträger als Web-Server
EP2017758A1 (fr) * 2007-07-02 2009-01-21 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Système et procédé informatiques destinés à la vérification du contenu
WO2009009859A1 (fr) * 2007-07-13 2009-01-22 Von Arx Kim G Système et procédé pour fournir des services en ligne à l'aide de noms de domaine enregistrés et individualisés
CN102792306A (zh) * 2009-12-21 2012-11-21 阿尔卡特朗讯公司 用于检测计算机资源劫持的方法
WO2011083226A1 (fr) * 2009-12-21 2011-07-14 Alcatel Lucent Procédé de détection d'un détournement de ressources informatiques
FR2954547A1 (fr) * 2009-12-21 2011-06-24 Alcatel Lucent Procede de detection d’un detournement de ressources informatiques
US9104874B2 (en) 2009-12-21 2015-08-11 Alcatel Lucent Method for detecting the hijacking of computer resources
CN102385583B (zh) * 2010-08-31 2016-01-20 腾讯科技(深圳)有限公司 一种控制浏览器打开窗口的方法及网页浏览器
CN102385583A (zh) * 2010-08-31 2012-03-21 腾讯科技(深圳)有限公司 一种控制浏览器打开窗口的方法及网页浏览器
US10248415B2 (en) 2011-05-19 2019-04-02 Microsoft Technology Licensing, Llc Dynamic code generation and memory management for component object model data constructs
US9342274B2 (en) 2011-05-19 2016-05-17 Microsoft Technology Licensing, Llc Dynamic code generation and memory management for component object model data constructs
US8881101B2 (en) 2011-05-24 2014-11-04 Microsoft Corporation Binding between a layout engine and a scripting engine
US9582479B2 (en) 2011-05-24 2017-02-28 Microsoft Technology Licensing, Llc Security model for a layout engine and scripting engine
US8918759B2 (en) 2011-05-24 2014-12-23 Microsoft Corporation Memory model for a layout engine and scripting engine
US9116867B2 (en) 2011-05-24 2015-08-25 Microsoft Technology Licensing, Llc Memory model for a layout engine and scripting engine
US8904474B2 (en) 2011-05-24 2014-12-02 Microsoft Corporation Security model for a layout engine and scripting engine
US9830306B2 (en) 2011-05-24 2017-11-28 Microsoft Technology Licensing, Llc Interface definition language extensions
US8689182B2 (en) 2011-05-24 2014-04-01 Microsoft Corporation Memory model for a layout engine and scripting engine
US9244896B2 (en) 2011-05-24 2016-01-26 Microsoft Technology Licensing, Llc Binding between a layout engine and a scripting engine
US8646029B2 (en) 2011-05-24 2014-02-04 Microsoft Corporation Security model for a layout engine and scripting engine
US9830305B2 (en) 2011-05-24 2017-11-28 Microsoft Technology Licensing, Llc Interface definition language extensions
CN102932335A (zh) * 2012-10-17 2013-02-13 北京奇虎科技有限公司 在浏览器处呈现网站的相关信息的方法和浏览器
US10291615B2 (en) 2013-05-13 2019-05-14 Ivanti Us Llc Web event framework
US9167052B2 (en) 2013-05-13 2015-10-20 Appsense Limited Apparatus, systems, and methods for providing policy in network-based applications
US9900367B2 (en) 2013-05-13 2018-02-20 Appsense Us Llc Context transfer from web page to application
US9912720B2 (en) 2013-05-13 2018-03-06 Appsense Us Llc Context aware browser policy
GB2517021A (en) * 2013-05-13 2015-02-11 Appsense Ltd Context transfer from web page to application
US10764352B2 (en) 2013-05-13 2020-09-01 Ivanti Us Llc Context aware browser policy
US9430452B2 (en) 2013-06-06 2016-08-30 Microsoft Technology Licensing, Llc Memory model for a layout engine and scripting engine
US10282238B2 (en) 2013-06-06 2019-05-07 Microsoft Technology Licensing, Llc Memory model for a layout engine and scripting engine
US10353751B2 (en) 2013-06-06 2019-07-16 Microsoft Technology Licensing, Llc Memory model for a layout engine and scripting engine
US9832218B2 (en) 2014-10-23 2017-11-28 International Business Machines Corporation Interacting with a remote server over a network to determine whether to allow data exchange with a resource at the remote server
US9479525B2 (en) 2014-10-23 2016-10-25 International Business Machines Corporation Interacting with a remote server over a network to determine whether to allow data exchange with a resource at the remote server
US10382470B2 (en) 2014-10-23 2019-08-13 International Business Machines Corporation Interacting with a remote server over a network to determine whether to allow data exchange with a resource at the remote server

Similar Documents

Publication Publication Date Title
US20080172382A1 (en) Security Component for Use With an Internet Browser Application and Method and Apparatus Associated Therewith
WO2005091107A1 (fr) Composant de securite pour application navigateur sur internet et procede et dispositif s'y rapportant
JP6871357B2 (ja) オンライン詐欺を検出するためのシステムおよび方法
Wu et al. Effective defense schemes for phishing attacks on mobile computing platforms
US8429751B2 (en) Method and apparatus for phishing and leeching vulnerability detection
US8996697B2 (en) Server authentication
US8079087B1 (en) Universal resource locator verification service with cross-branding detection
US7694135B2 (en) Security systems and services to provide identity and uniform resource identifier verification
US7690035B2 (en) System and method for preventing fraud of certification information, and recording medium storing program for preventing fraud of certification information
US8776224B2 (en) Method and apparatus for identifying phishing websites in network traffic using generated regular expressions
US20080086638A1 (en) Browser reputation indicators with two-way authentication
US20130031213A1 (en) Obtaining and assessing objective data relating to network resources
US20140283069A1 (en) Protecting against the introduction of alien content
US20060070126A1 (en) A system and methods for blocking submission of online forms.
JP2008521149A (ja) オンライン詐欺の可能性に関連するデータを解析するための方法およびシステム
WO2006119479A2 (fr) Determination de reputations de sites web faisant appel a un test automatique
WO2007058732A2 (fr) Systeme et methodes d'authentification b2c (des entreprises aux particuliers)
WO2007106826A2 (fr) Validation de detention de noms de domaine
JP2008507005A (ja) オンライン詐欺解決法
JP2008522291A (ja) オンライン詐欺の早期の検出およびモニタリング
US20210176263A1 (en) Consumer Threat Intelligence Service
GB2456742A (en) Determining trust levels for data sources
Chanti et al. A literature review on classification of phishing attacks
US20210081962A1 (en) Data analytics tool
Malderle et al. Warning of affected users about an identity leak

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase
WWE Wipo information: entry into national phase

Ref document number: 10593153

Country of ref document: US