Imperva: Protecting the Data that Drives Business Blog|Login|Chinese German Japanese|Follow @imperva
ThreatRadar Reputation Services

Reputation-Based Security for Automated Attacks

ThreatRadar: Mitigate automated attacks from known malicious sources and provides geographical context on attackersClick to enlarge
Hackers are becoming more industrialized and well resourced. Sophisticated criminals are leveraging networks of remotely-controlled computers, or bots, to launch large-scale automated attacks. Effective attack mitigation requires identifying known malicious sources and adapting to continuously changing attack locations and techniques.

ThreatRadar Reputation Services provide an automated defense against automated attacks by instantly detecting and stopping known attackers. As an add-on service for the SecureSphere Web Application Firewall (WAF), ThreatRadar detects Web traffic originating from IP addresses currently attacking other Websites, from anonymizing services, and from undesirable geographic locations.

By integrating accurate, timely information on known attack sources into the WAF defense, ThreatRadar Reputation Services can quickly and accurately stop traffic from malicious sources before an attack can be launched.

Key Capabilities
Aggregates reputation data from the foremost commercial and non-commercial providers to identify:
  • Malicious IP addresses
  • Anonymous proxies
  • TOR networks
  • Phishing URLs
  • Geographic location
 Protects against automated and botnet attacks
Offers near real-time feeds of global reputation data
Visualizes attack location and summarizes reputation data with integrated forensics tool
Instantly updates SecureSphere Web Application Firewall policies based on current attack data

To learn more, click on the Capabilities tab.

Track Attack Sources on a Global Scale

Leveraging the security community collective insight, centralized ThreatRadar servers aggregate information on attack sources from credible data providers. ThreatRadar identifies:

  • Malicious Sources: IP addresses that have repeatedly performed malicious activity on other Websites. To date, over ten million botnets have executed attacks on behalf of remote hackers.
  • Anonymous Proxies: Web traffic originating from anonymous proxy servers. By hiding the identity of the traffic source, anonymous proxies are often exploited by hackers to launch attacks.
  • The Onion Router (TOR) Networks: traffic sources that use TOR networks to launch attacks without revealing their identity and location.
  • IP Geolocation: IP addresses that are based in a specific geographic location. Geolocation enables organizations to monitor or block access from objectionable countries.
  • Phishing URLs: real-time alerting on phishing incidents against the customer domain.

By understanding attempted attacks on other websites, SecureSphere Web Application Firewalls can identify botnet or distributed attacks--attacks that may be difficult to identify based only on the characteristics of the Web request.

Continuous, Automated Feed of Current Attack Sources

ThreatRadar Reputation Services deliver integrated attack source feeds, in near real time, to all ThreatRadar-powered SecureSphere WAFs. ThreatRadar Reputation Services are fully maintained by Imperva and eliminates the manual effort required to identify, subscribe, and maintain these security feeds. Imperva continuously updates the feed, providing current protection against malicious traffic.

Dynamically Adapt Web Security Policies

As SecureSphere Web Application Firewalls receive attack source information, ThreatRadar Reputation Services dynamically adjust security policies to alert or block traffic from newly identified attack sources. Furthermore, custom security rules can use information provided by the feeds to fine-tune the response for specific types of traffic, such as the ability to block only the traffic that comes from a malicious source exhibiting suspicious behavior.

Early Detection, Blocking of Malicious Sources

ThreatRadar increases the accuracy of SecureSphere WAF and dramatically reduces application visibility to attackers. By blocking access requests based on traffic source reputation, hackers have virtually no opportunity to explore the Web application for possible weaknesses and are less likely to launch a successful attack.

Streamlined Forensic Analysis and Attack Source Intelligence

ThreatRadar Reputation Services take the guesswork out of event analysis by providing greater operational insight into attacker origins and methods. Information such as the source IP address and geographic location of requests provideadditional context on attacks, enabling precise incident response procedures and minimizing operational workload.

ThreatRadar Reputation Services Specifications


Specification Description
Malicious Sources
  • Malicious IP Addresses
  • Anonymous Proxy Servers
  • The Onion Router (TOR) Networks
Malicious URLs
  • Phishing URLs
Access Control and Forensics
  • Geolocation of source IP
  • Reputation of source IP
Communications to ThreatRadar servers
  • SSL encrypted communications between ThreatRadar cloud servers, MX Management server and SecureSphere gateways
Security Feed Updates
  • Continuous updates; frequency ranges from near real time to daily depending on feed type and configuration
Data Feed Sources
  • Commercial and non-commercial providers of malicious sources
  • Commercial provider of phishing URLs
  • Commercial provider of geolocation data
  • Imperva Application Defense Center (ADC) provides malicious sources, scores and validates feeds, and maintains a Global trusted IP list
SecureSphere Integration
  • Pre-defined and custom SecureSphere security policies
  • SNMP
  • Syslog
  • Email
  • Incident management ticketing integration
  • Custom followed action
  • Pre-defined and custom graphical reports
  • Real-time dashboard
Supported Products
  • SecureSphere Web Application Firewall