Viruses, worms and other malicious software programs, collectively known as malware, are used by hackers to attack networks, in malicious attempts to gain access to computing devices and data. Malware arriving in network traffic can be blocked by monitoring layers 3 and 4 and looking for a match to a specified signature. In the Open Systems Interconnect (OSI) communication model, layers 1 (Physical Layer), 2 (Data Link Layer) and 3 (Network Layer) have protocols that specify how a network packet is moved from source to destination. Layers 4 (Transport Layer) and 7 (Application Layer) provide specifics of a request and identification of the application that created the packets. Layer 7 applications include File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), Hypertext Transfer Protocol (HTTP) and Domain Name System Protocol (DNS). Layer 7 handles file transfers and display formatting. Generally, Internet Protocol (IP) security applies signature matching at the network layer and transport layer (layers 3 and 4), to block individual files. However, targeted or shotgun attacks that direct multiple and varied pieces of malware at network endpoints are difficult to defend against. As an example of a targeted or shotgun attack, a hacker could use a toolkit and try different malicious portable document format (PDF) files, with each PDF file targeting a different vulnerability in an Acrobat reader. Each file could potentially have a different universal resource locator (URL). The traditional approach of blocking all future connections seeking information from a source (e.g., blocking all connections to an Internet Protocol address or a Host) does not provide a desirable user experience, especially when these files are hosted on a compromised but otherwise legitimate website. In addition, blocking by URL alone is not sufficient because there could be multiple URLs hosting malware.
It is within this context that the embodiments arise.