| CPC H04L 63/1416 (2013.01) [H04L 63/1441 (2013.01)] | 15 Claims |
|
1. A method, comprising:
receiving a universal resource locator (URL), the receiving performed by a URL velocity monitor operating in a first computer network;
decomposing, by the URL velocity monitor, the URL into URL features based on logical boundaries of the URL;
determining, by the URL velocity monitor from the URL features of the URL, URL features of interest;
determining, by the URL velocity monitor, a URL velocity tracking strategy;
tracking, by the URL velocity monitor based on the URL velocity tracking strategy, a velocity of each respective URL feature of the URL features of interest in email traffic of a second computer network, wherein the URL velocity tracking strategy comprises a rule or information that specifies how the respective URL feature of the URL features of interest in the email traffic of the second computer network is to be handled, the tracking comprising monitoring a volume of the respective URL feature in the email traffic within a time period, wherein tracking the velocity of the respective feature is performed in accordance with the rule or information specified by the URL velocity tracking strategy, wherein determining the URL velocity tracking strategy comprises using a slow counter and a fast counter to track acceleration and the velocity of the respective URL feature within the time period;
determining, by the URL velocity monitor, whether the velocity of the respective URL feature is accelerating based on a change in the velocity within the time period; and
responsive to a determination that the velocity of the respective URL feature is accelerating within the time period, placing the URL in a queue for sandboxing or analyzing the URL in a sandboxed computer environment.
|