Why doesn't the Risk Level change as content change? Does Risk Levels look at page content?
Risk Levels do not solely look at the content of a page to determine risk. This is not a scalable model for detecting risk. It requires trying to predict what the next malicious Javascript / HTML attack vector will be and building a signature around it. These have a very high false positive rate, without substantial detections.
Risk Levels are determined by a series of classifiers, we call “caucuses” or voting systems. These look at the metadata features surrounding the site. So while we might not know what the site is doing, we can statistically prove that the site is doing something directly correlated with bad behavior.
Some Examples of our caucuses are:
Shady Traffic: It looks at the URL request itself: query string, user-agent, filename, port, path etc…
Shady content: Looks at file type, content, tags, etc…
Shady name: looks at the TLD, domain name, etc…
Shady Neighborhood: looks at the IP reputation of the sites network
Shady Response: looks at the response of the request.
Context Engine: Examines virtually all tokens available from the URL
All of these ultimately have different weights that combine with ground truth knowledge such as Malware Analysis or other feeds to form a final Risk Level
Of all of these, it just so happens that over a decade of analysis has proven to us that content a less significant factor in determining the risk of a site than others. So when content changes, our Risk Level calculator doesn’t pay a lot of attention to it.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)