Web Threat Detection Overview

MetaDefender Sandbox on-premise / standalone integrates with the following Web threat models

Introduction

The Web Threat Detection Model enhances security by analyzing a site’s structure, behavior, and content to label pages as malicious, based on sandbox verdicts. After gathering data, it makes predictions in milliseconds. It works in standalone environments but not in air-gapped systems.

Key Advantages Over Traditional Phishing Detection:

More Accurate Detection: Traditional phishing detection typically relies on URL reputation or known threat patterns, which can miss new or sophisticated attacks. This model checks multiple aspects of a site (structure, behavior, content), making it far more accurate at detecting threats.

Real-Time Evaluation: While traditional phishing detection often uses reputation data or blacklists, this model evaluates the site’s real-time behavior and content. This allows it to catch threats that don’t match known patterns or blacklisted URLs.

Faster Predictions: Predictions are made in milliseconds once the data is collected, ensuring quick threat identification compared to traditional methods, which can take longer due to live checks or scanning.

Operations

The model performs a comprehensive analysis on the collected data after sending a URL to the sandbox, including its structure, behavior, and content, to assess its safety, then generates a probability score indicating the likelihood of the URL being a web threat.

Report

Web threat result will be displayed under URL details tab in the scan report. Key: ML Web Threat Model

Confidence mappings

VerdictDescriptionContent model edgesBehavior model edgesStructure model edges
BenignContent and structure appear normal, with no threat indicators.0.0 - 0.20.0 - 0.20.0 - 0.1
No ThreatSlight or minor deviations detected, but overall low risk.0.2 – 0.350.2 – 0.350.1 – 0.2
UnknownAmbiguous or atypical features; unable to determine threat confidently.0.35 – 0.60.35 – 0.50.2 – 0.8
SuspiciousModerate to strong indicators suggesting potential phishing behavior.0.6 – 0.80.5 – 0.750.8 – 0.88
Likely MaliciousStrong resemblance to known phishing patterns. High probability of being harmful.0.8 – 0.90.75 – 0.90.88 – 0.95
MaliciousOverwhelming match to malicious signatures. Immediate mitigation recommended.0.9 – 1.00.9 – 1.00.95 – 1.0

Available on the product

Configuration

Currently, it runs by default on every URL scan and triggers notifications to consumers if the likelihood prediction exceeds a threshold.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard