| 主权项 |
1. A method performed by data processing apparatus, the method comprising:
receiving, by a network gateway of a network, a message from a server addressed to a client hosted on the network; running a first instance of a software application of the message in a sandbox that is separate from the client; identifying, for the first instance of the software application, application signatures each representing one or more software applications, each application signature including a risk score threshold and one or more operation sequences each including a plurality of sequence operations; monitoring operations performed by the first instance of the software application to generate a first risk score for the software application based on the operation sequences; determining that the software application has passed a first risk test in response to determining that the first risk score is less than each risk score threshold; responsive to determining that the software application has passed the first risk test, routing the message to the client; running a second instance of the software application by the client; identifying, for the second instance of the software application, the application signatures; monitoring operations performed by the second instance of the software application to generate a second risk score for the software application based on the operation sequences; determining that the software application has failed a second risk test in response to determining that the second risk score is greater than or equal to one of the risk score thresholds; and in response to determining that the software application has failed the second risk test, performing a configured action. |
