Offline URL Reputation Overview

MetaDefender Sandbox on-premise / standalone integrates an Offline URL detector ML model.

URL offline reputation will now auto-apply in air-gapped / offline environments (in case of lack of internet connection), but be disabled by default

Introduction

The offline URL detection ML model enhances security by effectively identifying suspicious URLs. Unlike traditional methods, it utilizes machine learning on a dataset of labelled URLs to accurately detect threats without relying on web rendering or code analysis. Meaning malicious URL detection can still be carried out in air-gapped sandbox environment.

Key differences

  • Real-time vs. Offline Analysis: Online reputation depends on real-time data and active web interactions, whereas offline URL reputation relies on pre-existing datasets and machine learning models to evaluate URLs without needing live access.
  • Resource Intensity: Online reputation methods can be resource-intensive due to the need for real-time rendering and analysis. Offline URL reputation is less resource-demanding, as it uses pre-trained models to make assessments.
  • Adaptability: Offline URL detection is more adaptable in environments with limited or no internet access, providing a consistent layer of security regardless of connectivity.

Operations

The model performs a comprehensive analysis of key attributes from a new URL to assess its safety. It then generates a probability score indicating the likelihood of the URL being malicious or benign

Example

Its adaptability to offline environments makes it versatile for various security scenarios, such as preventing malware from exfiltrating data through disguised URLs or thwarting phishing attempts by flagging fraudulent links in emails.

Data

The Suspicious URL detector Machine Learning model was trained on close to 1 million URLs from various sources, including reputation vendors and feeds.

Report

Offline Reputation result will be displayed under OSINT Lookups in the scan report.

The item details

ResourceIdentifies the certain URL being analyzed
TypeSpecifies the nature of the entity
OriginMethods to assess the reputation of the URL (e.g. VBA Emulation: In this example, VBA emulation helps in identifying if the code performs any malicious activities, such as downloading malware or manipulating system files, which could impact the reputation of the associated URL..)
ProviderIndicates the dataset providers: OPSWAT (Online) Reputation or OfflineURLReputation.
VerdictThe trained model is then applied to the extracted features, enabling it to predict whether the URL is benign or suspicious

Please find the Showcase Report here.

Configuration

The following setting is only required to manually enable the URL model in online mode. However, the feature is enabled automatically in offline mode.

The URL model can only provide an assessment of whether a URL is suspicious, without offering a more definitive judgment. To enable the model the following line has to be added to the appropriate configuration:

transform.cfg
Copy
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Execution Profiles

See the "Technical Datasheet" for a complete list of features: https://docs.opswat.com/filescan/datasheet/technical-datasheet

On This Page
Offline URL Reputation OverviewIntroductionOperationsExampleDataReportThe item detailsConfiguration