Detecting web exploit kits by tree-based structural similarity search
First Claim
Patent Images
1. A method comprising:
- receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic;
clustering, using a processor on the computer, the HTTP traffic into web session trees, each web session tree based on a portion of the traffic initiated by a different client IP (Internet Protocol) root request;
generating a client tree structure of each web session tree, wherein each client tree structure comprises a respective root node that corresponds to the corresponding different client IP root request and to child nodes representing the corresponding portion of the traffic; and
comparing each client tree structure with each of a plurality of tree structures of a plurality of exploit kit samples, wherein each of the tree structures comprises a set of other HTTP traffic that was caused when a client browser downloaded a malicious payload of one of the plurality of the exploit kit samples, and wherein the other HTTP traffic occurs within a time window starting with an initiating root request from the client browser and inclusive of multiple malicious requests to malicious servers caused by execution by the client browser of the malicious payload; and
determining based on a similarity result from the comparison that a client browser corresponding to at least one of the client tree structures had previously downloaded a malicious payload of a corresponding exploit kit sample, wherein each of the exploit kit samples comprises malicious files with a pre-written exploit code to exploit vulnerabilities in one or more software applications.
2 Assignments
0 Petitions
Accused Products
Abstract
A method includes receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic and clustering, using a processor on the computer, the HTTP traffic according to a client IP (Internet Protocol) into a web session tree. A client tree structure of the web session tree is generated and the client tree structure is compared with tree structures of exploit kit samples.
36 Citations
14 Claims
-
1. A method comprising:
-
receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic; clustering, using a processor on the computer, the HTTP traffic into web session trees, each web session tree based on a portion of the traffic initiated by a different client IP (Internet Protocol) root request; generating a client tree structure of each web session tree, wherein each client tree structure comprises a respective root node that corresponds to the corresponding different client IP root request and to child nodes representing the corresponding portion of the traffic; and comparing each client tree structure with each of a plurality of tree structures of a plurality of exploit kit samples, wherein each of the tree structures comprises a set of other HTTP traffic that was caused when a client browser downloaded a malicious payload of one of the plurality of the exploit kit samples, and wherein the other HTTP traffic occurs within a time window starting with an initiating root request from the client browser and inclusive of multiple malicious requests to malicious servers caused by execution by the client browser of the malicious payload; and determining based on a similarity result from the comparison that a client browser corresponding to at least one of the client tree structures had previously downloaded a malicious payload of a corresponding exploit kit sample, wherein each of the exploit kit samples comprises malicious files with a pre-written exploit code to exploit vulnerabilities in one or more software applications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of deploying computer resources by provisioning a memory device in a server accessible via a network with a set of computer-readable instructions for a computer to execute a method of detecting exploit kits, wherein the method of detecting exploit kits comprises:
-
receiving, at an input port of the computer, indication of HTTP (Hypertext Transfer Protocol) traffic; clustering, using the processor on the computer, the HTTP traffic into web session trees, each web session tree based on a portion of the traffic initiated by a different client IP (Internet Protocol) root request; generating a client tree structure for each web session tree, wherein each client tree structure comprises a respective root node that corresponds to the corresponding different client IP root request and to child nodes representing the corresponding portion of the traffic; and comparing each client tree structure with each of a plurality of tree structures of a plurality of exploit kit samples, wherein each of the tree structures comprises a set of other HTTP traffic that was caused when a client browser downloaded a malicious payload of one of the plurality of the exploit kit samples, and wherein the other HTTP traffic occurs within a time window starting with an initiating root request from the client browser and inclusive of multiple malicious requests to malicious servers caused by execution by the client browser of the malicious payload; and determining based on a similarity result from the comparison that a client browser corresponding to at least one of the client tree structures had previously downloaded a malicious payload of a corresponding exploit kit sample, wherein each of the exploit kit samples comprises malicious files with a pre-written exploit code to exploit vulnerabilities in one or more software applications. - View Dependent Claims (12, 13, 14)
-
Specification