Why doesn't the Risk Level change as content change? Does Risk Levels look at page content?

  • Risk Levels do not solely look at the content of a page to determine risk. This is not a scalable model for detecting risk. It requires trying to predict what the next malicious Javascript / HTML  attack vector will be and building a signature around it. These have a very high false positive rate, without substantial detections.
  • Risk Levels are determined by a series of classifiers, we call “caucuses” or voting systems. These look at the metadata features surrounding the site. So while we might not know what the site is doing, we can statistically prove that the site is doing something directly correlated with bad behavior.
    • Some  Examples of our caucuses are:
      • Shady Traffic: It looks at the URL request itself: query string, user-agent, filename, port, path etc…
      • Shady content: Looks at file type, content, tags, etc…
      • Shady name: looks at the TLD, domain name, etc…
      • Shady Neighborhood: looks at the IP reputation of the sites network
      • Shady Response: looks at the response of the request.
      • Context Engine: Examines virtually all tokens available from the URL
    • All of these ultimately have different weights that combine with ground truth knowledge such as Malware Analysis or other feeds to form a final Risk Level
    • Of all of these, it just so happens that over a decade of analysis has proven to us that content a less significant factor in determining the risk of a site than others. So when content changes, our Risk Level calculator doesn’t pay a lot of attention to it.

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation