Imperva Blog|Login|中文Deutsch日本語
ThreatRadar Reputation Services

Reputation-Based Security for Automated Attacks

Video: ThreatRadar Reputation Services Demo
Hackers are becoming more industrialized and well resourced. Sophisticated criminals are leveraging networks of remotely-controlled computers, or bots, to launch large-scale automated attacks. Stopping automated attacks requires identifying users—typically bots—that are actively attacking other websites.

ThreatRadar Reputation Services provide an automated defense against automated attacks by instantly detecting and stopping known malicious sources. As an add-on service to the SecureSphere Web Application Firewall (WAF), ThreatRadar detects Web traffic originating from users attacking other websites, from anonymizing services, and from undesirable geographic locations. Up-to-date lists of phishing sites enable SecureSphere to detect compromised users and fraudulent file requests.

Crowd-Sourced Threat Intelligence

ThreatRadar Community Defense, an industry-leading innovation for ThreatRadar Reputation Services, delivers crowd-sourced threat intelligence to SecureSphere Web Application Firewalls. Community Defense gathers attack data from SecureSphere deployments around the world and translates this data into attack patterns, policies, and reputation feeds. Crowd-sourced security content is distributed in near-real time to fortify the entire community against emerging threats.

While ThreatRadar Reputation Services relies on security information from leading external security providers, Community Defense draws on live attacks detected by SecureSphere Web Application Firewalls.

Key Capabilities
Aggregate reputation data from leading providers to identify:
  • Malicious IP addresses
  • Anonymous proxies
  • TOR networks
  • Phishing URLs
  • Geographic location
Receive crowd-sourced threat intelligence in near-real time
Protect against automated and botnet attacks
Visualize the location of attack sources in an integrated forensics tool and a geographic alert map
Instantly update SecureSphere Web Application Firewall policies based on current attack data

To learn more, click on the Capabilities tab.

Track Attack Sources on a Global Scale

Aggregating IP address and URL reputation data from leading security providers, ThreatRadar enables SecureSphere Web Application Firewalls to stop automated attacks. ThreatRadar identifies:

  • Malicious Sources: IP addresses that have repeatedly performed malicious activity on other websites. To date, over ten million botnets have executed attacks on behalf of remote hackers.
  • Anonymous Proxies: Web traffic originating from anonymous proxy servers. By hiding the identity of the traffic source, anonymous proxies are often exploited by hackers to launch attacks.
  • The Onion Router (TOR) Networks: Traffic sources that use TOR network to launch attacks without revealing their identity and location.
  • IP Geolocation: IP addresses that are based in a specific geographic location. Geolocation enables organizations to monitor or block access from objectionable countries.
  • Phishing URLs: Real-time alerting on phishing incidents against the customer domain.

By understanding which users attacked other websites, SecureSphere Web Application Firewalls can identify automated attacks like Distributed Denial of Service (DDoS). For many automated attacks, each individual Web request may appear legitimate, but together, automated requests from thousands or millions of clients have the power to disable all Web application access. Understanding the reputation of Web users can help organizations fight automated attacks.

Identify Attackers with ThreatRadar Community Defense

Harnessing the collective insight of SecureSphere deployments around the world, ThreatRadar Community Defense detects and tracks hackers actively performing Web attacks. While ThreatRadar Reputation Services identifies users conducting automated attacks like DDoS, Community Defense classifies users conducting advanced Web attacks like SQL injection. Community Defense offers powerful protection against Web application hackers.

Stop New Attack Vectors with Crowd-Sourced Threat Intelligence

Community Defense enables SecureSphere Web Application Firewalls to detect new attack patterns without blocking legitimate requests. Community Defense uses patent-pending technology to gather suspicious Web requests, validate that requests are attacks, and transform identified attacks into signatures. Equipped with Community Defense, SecureSphere Web Application Firewalls can spot attacks witnessed by other Imperva-protected websites.

Stay Up-to-Date with Continuous, Automated Security Feeds

ThreatRadar Reputation Services deliver integrated attack source feeds, in near real time, to all ThreatRadar-powered SecureSphere WAFs. ThreatRadar Reputation Services are fully maintained by Imperva and eliminates the manual effort required to identify, subscribe, and maintain these security feeds. Imperva continuously updates the feed, providing current protection against malicious traffic.

Instantly Detect and Block Malicious Sources

ThreatRadar increases the accuracy of the SecureSphere Web Application Firewall and dramatically reduces application visibility to attackers. By blocking access requests based on traffic source reputation, hackers have virtually no opportunity to explore the Web application for possible weaknesses and are less likely to launch a successful attack.

Streamline Forensics with Reputation and Geolocation Data

ThreatRadar Reputation Services take the guesswork out of event analysis by providing greater operational insight into attacker origins and methods. Information such as the source IP address and geographic location of requests provide additional context on attacks, enabling precise incident response procedures and minimizing operational workload.

ThreatRadar Reputation Services Specifications


Specification Description
Malicious Sources
  • Malicious IP addresses conducting automated attacks
  • Malicious IP addresses conducting SQL injection and Web attacks with ThreatRadar Community Defense
  • Anonymous proxy servers
  • The Onion Router (TOR) Network
Malicious URLs
  • Phishing URLs
Malicious Attack Strings
  • Remote File Inclusion Attacks with ThreatRadar Community Defense
Access Control and Forensics
  • Geolocation of source IP
  • Reputation of source IP
Communications to ThreatRadar servers
  • SSL encrypted communications between ThreatRadar cloud servers, MX Management server and SecureSphere gateways
Security Feed Updates
  • Continuous updates; frequency ranges from near real time to daily depending on feed type and configuration
Data Feed Sources
  • Commercial and non-commercial providers of malicious sources
  • Commercial provider of phishing URLs
  • Commercial provider of geolocation data
  • Imperva SecureSphere Web Application Firewalls
  • Imperva Application Defense Center (ADC) provides malicious sources, scores and validates feeds, and maintains a Global trusted IP list
SecureSphere Integration
  • Pre-defined and custom SecureSphere security policies
  • SNMP
  • Syslog
  • Email
  • Incident management ticketing integration
  • Custom followed action
  • Pre-defined and custom graphical reports
  • Real-time dashboard
Supported Products
  • SecureSphere Web Application Firewall