The proliferation of malicious, inappropriate, and/or unwanted information, contents and/or messages on the Internet has necessitated individuals and organizations to adopt protection techniques and systems. Individuals and organizations may employ software and/or hardware to implement various filtering schemes for intercepting and inhibiting unauthorized attempts to access, download, or transmit malicious, inappropriate, and/or unwanted information, contents, and/or messages.
For example, in the art, there exists a filtering scheme known as uniform resource locator (URL) filtering, for detecting and managing attempts to access malicious and/or inappropriate websites. There also exists a filtering scheme known as email filtering, for detecting and managing attempts to send malicious, inappropriate, and/or unwanted email messages. In general, the various filtering schemes are implemented in disjoint arrangements with different devices and may be operated by different service providers. Example prior art arrangements for URL filtering and email filtering are discussed below with reference to FIGS. 1 and 2.
FIG. 1 illustrates an example prior art arrangement for URL filtering based on URL reputation. As illustrated in the example of FIG. 1, the arrangement may include a URL reputation server 140 connected to gateway 120, which may be operated by an enterprise.
When a user of client 101, such as an employee of the enterprise, wishes to access the website hosted at web server 152, gateway 120 may intercept the HTTP request sent by client 101. Gateway 120 may extract the URL in the HTTP request and send the URL in a URL reputation request to URL reputation server 140 through internet 130.
After receiving the URL reputation request. URL reputation server 140 may look up a database to determine the reputation of the concerned URL. URL reputation server 140 may then send a URL reputation response to gateway 120. The URL reputation response may contain URL reputation information. The URL reputation information may represent, for example, the category of the website.
Gateway 120 may determine whether to block the access to the website based on the URL reputation information. If the access is to be blocked according to the URL reputation information and to the policies (or rules) stored in gateway 120, gateway 120 may block the access and send a notification to client 101. If the access is to be allowed, gateway 120 may forward the HTTP request to web server 132 through internet 130. In return, web server 152 may provide an HTTP response to gateway 120. The HTTP response may contain the content of the website or a web page on the website. Gateway 120 may then forward the HTTP response to client 101.
FIG. 2 illustrates an example prior art arrangement for e-mail filtering based on network reputation. As illustrated in the example of FIG. 2, the arrangement may include the network reputation server 240 connected to gateway 120.
When a sending mail server 250 external to the enterprise attempts to send an e-mail message to the user of client 101, sending mail server 254 may send a TCP connection request, which may be intercepted/received by gateway 120. Gateway 120 may then extract the IP address of sending mail server 250 from the TCP connection request and send the IP address in a network reputation request to network reputation server 240 through internet 130.
After receiving the network reputation request, network reputation server 240 may look up the reputation of the IP address and then return the reputation information to gateway 120. Gateway 120 may determine whether the TCP connection should be allowed based on the network reputation information and the policies stored in gateway 120. If the connection is not to be allowed, gateway 120 may block the connection. If the connection is to be allowed, gateway 120 may establish the TCP connection between mail server 210 and sending mail server 254, such that the e-mail message may be sent to mail server 210. Mail server 210 may then hold the e-mail message until the e-mail message is retrieved or downloaded by client 101.
In general, the URL reputation requests and responses and the network reputation requests and responses may represent a significant amount of data traffic. The data traffic may significantly increase the requirements for network bandwidth, as well as processing resource of gateway 120. Given limited network bandwidth and limited processing resource of gateway 120, the data traffic ma cause, or least contribute to, congestion in the network of the enterprise. As a result, users, such as the user of client 101, may experience significant latency in accessing websites and receiving e-mail.
Further, according to the prior art arrangements, even if web server 152 and sending mail server 254 belong to the same domain, reputation requests and responses typically still have to be individually and separately sent, received, and processed. The individually and separately sent, received, and processed requests and responses for communications concerning the same domain may represent inefficient utilization of network bandwidth and processing resource.