Blue Coat Labs

Labs Blog

Webpulse In A Nutshell

Webpulse In A Nutshell

Tim Chiu


You may have seen references to Webpulse in various Blue Coat blog posts, on different parts of the website, or just in a discussion on Blue Coat technology.  But it may not be completely obvious just what Webpulse is or does.  Sure it's a collaborative defense in the cloud with 75 million users, but just what does that mean to the average IT administrator?  This blog post will attempt to give you just that, a quick description of what Webpulse is all about and how it helps you get your job done.

Traditional web security uses URL filtering, the concept that any URL can be put into a category, and policy can enforced against that category.  The obvious example, a porn site would be categorized as "Pornography" and maybe even "Adult/Mature Content", and a typical enterprise would have a policy that blocked those categories, preventing user access to that website.  While having a local database of URLs and their categories works for well-known sites that stay relatively content consistent, it doesn't work for the 150,000 URLs that are estimated to be added each and every day

That's where the first part of Webpulse comes in.  When a user protected by Webpulse first encounters a website that doesn't already have a category rating in the local URL cache or from the URL database, the system will query Webpulse for a category.  Webpulse will respond with either a category from the cache in the cloud (if someone else has asked for the same URL recently), or it will use a real-time ratings engine in the cloud to analyze the requested URL.  The ratings engine analyzes multiple aspects of the requested URL including language content (18 languages recognized in real-time, over 50 in background), registration information, history, and other aspects of the website and URL to give a response in less than a second.

If for some reason the URL requires further analysis, Webpulse can continue to analyze the site using a background rating system.  In either case, when a category or categories have been assigned to the URL, this information is updated in the Webpulse cache, and made available to the other 75 million users who are also using Webpulse.  ProxyAV also provides feedback to Webpulse, so as new malware URLs are discovered by ProxyAV users around the world, this information is fed back to Webpulse and shared with the Webpulse community.

In addition to the automated engines used for categorizing websites, Webpulse also has human raters, and the ability to correlate information across requests.  This ability to correlate led Blue Coat's security team to discover the existence of malnets (malware networks), interconnected networks of sites hosting malware, and the sites that link to them.  With over 500 different malnets in existence, Webpulse now tracks these malnets as they evolve (add servers, change URLs, change IP addresses, etc.), and gives Webpulse users the ability to block malware attacks coming from malnets, before attacks even go live (through iFrame injections, cross site script attacks, etc.), a feature Blue Coat calls "negative day defense".  If you don't believe malnets are a threat, then consider this prediction from the Blue Coat Web Security Report: it's expected  in 2012 that as many as two-thirds of malware attacks will be based on malnets."

Just where can you get Webpulse?  Webpulse is used by ProxySG with Blue Coat Webfilter, PacketShaper, ProxyAV, Blue Coat's Cloud Service, ProxyClient, and our free home-use K-9 product.