Blocklists lose the URL game by design. Attackers register fresh domains by the thousand, so any list of known-bad links is stale the moment it ships. The only way to keep up is to stop matching exact URLs and start recognizing the shape of malicious ones.
Palo Alto Networks' US11418485B2, “Pattern-based malicious URL detection” (issued August 16, 2022; CPC H04L 63/1483 — protection against phishing, and H04L 63/1416 — network intrusion detection), describes detecting malicious URLs by their patterns rather than by exact prior matches. Read it at US11418485B2.
Mechanically, the system learns the structural and lexical features that malicious URLs tend to share — token patterns, construction tricks, the fingerprints of automated domain generation — and scores new, never-seen URLs against those patterns. A brand-new phishing domain with no reputation can still be caught because it looks like its malicious cousins.
Why this is a business story: URL filtering is a core attach to Palo Alto's firewalls and to its Prisma cloud-security suite, sold as a recurring subscription. Pattern-based detection is the feature that lets the vendor claim coverage of zero-hour phishing — the links that no blocklist has seen — and that claim is what differentiates a premium secure-web-gateway from a cheap DNS filter.
The grounded read: pattern-based URL detection beats the blocklist treadmill by recognizing malicious structure rather than exact domains. Palo Alto's 2022 grant names that approach — the engine behind catching zero-hour phishing links as a subscription feature.