| CPC H04L 63/0236 (2013.01) [G06F 16/22 (2019.01); G06F 16/9566 (2019.01); G06F 16/986 (2019.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); G06F 21/51 (2013.01); G06F 21/566 (2013.01); G06F 21/577 (2013.01)] | 20 Claims |
|
1. A method, comprising:
receiving, by a computer, a real time click event as a browser on a user device attempts to load a page linked by a universal resource locator (URL); and
while the page is being rendered by the browser with page data from a web server hosting the page, performing, by the computer:
determining whether the URL is known as a bad URL; and
responsive to the URL not being known as a bad URL:
intercepting the page data communicated from the web server to the browser;
determining, from the page data, microfeatures of the page and any URLs referenced by the page;
applying detection rules to events associated with rendering the page in the browser, the microfeatures of the page, and the URLs referenced by the page;
determining whether application of the detection rules indicates that any content, activity, or sequence of events associated with the page is considered malicious; and
responsive to the page being considered malicious, condemning the URL before the content of the page is fully rendered on the user device.
|