Detecting web exploit kits by tree-based structural similarity search

US 10,560,471 B2
Filed: 11/07/2016
Issued: 02/11/2020
Est. Priority Date: 05/14/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic;

clustering, using a processor on the computer, the HTTP traffic into web session trees, each web session tree based on a portion of the traffic initiated by a different client IP (Internet Protocol) root request;

generating a client tree structure of each web session tree, wherein each client tree structure comprises a respective root node that corresponds to the corresponding different client IP root request and to child nodes representing the corresponding portion of the traffic; and

comparing each client tree structure with each of a plurality of tree structures of a plurality of exploit kit samples, wherein each of the tree structures comprises a set of other HTTP traffic that was caused when a client browser downloaded a malicious payload of one of the plurality of the exploit kit samples, and wherein the other HTTP traffic occurs within a time window starting with an initiating root request from the client browser and inclusive of multiple malicious requests to malicious servers caused by execution by the client browser of the malicious payload; and

determining based on a similarity result from the comparison that a client browser corresponding to at least one of the client tree structures had previously downloaded a malicious payload of a corresponding exploit kit sample, wherein each of the exploit kit samples comprises malicious files with a pre-written exploit code to exploit vulnerabilities in one or more software applications.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic and clustering, using a processor on the computer, the HTTP traffic according to a client IP (Internet Protocol) into a web session tree. A client tree structure of the web session tree is generated and the client tree structure is compared with tree structures of exploit kit samples.

36 Citations

View as Search Results

14 Claims

1. A method comprising:
- receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic;
  
  clustering, using a processor on the computer, the HTTP traffic into web session trees, each web session tree based on a portion of the traffic initiated by a different client IP (Internet Protocol) root request;
  
  generating a client tree structure of each web session tree, wherein each client tree structure comprises a respective root node that corresponds to the corresponding different client IP root request and to child nodes representing the corresponding portion of the traffic; and
  
  comparing each client tree structure with each of a plurality of tree structures of a plurality of exploit kit samples, wherein each of the tree structures comprises a set of other HTTP traffic that was caused when a client browser downloaded a malicious payload of one of the plurality of the exploit kit samples, and wherein the other HTTP traffic occurs within a time window starting with an initiating root request from the client browser and inclusive of multiple malicious requests to malicious servers caused by execution by the client browser of the malicious payload; and
  
  determining based on a similarity result from the comparison that a client browser corresponding to at least one of the client tree structures had previously downloaded a malicious payload of a corresponding exploit kit sample, wherein each of the exploit kit samples comprises malicious files with a pre-written exploit code to exploit vulnerabilities in one or more software applications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, further comprising, responsive to at least one subtree of one of the client tree structures being determined to be similar to at least one subtree structure of at least one of the exploit kit samples within a predefined similarity value, classifying the at least one subtree as malicious.
  - 3. The method according to claim 1, further comprising using a honeyclient to gather one or more of the exploit kit samples, wherein the honeyclient comprises a browser designed to detect changes in the browser or an operating system upon which the browser is operating.
  - 4. The method according to claim 1, wherein tree structures are compared initially using a node level similarity search followed by a structural similarity search responsive to the node level similarity search resulting in a similarity between two tree structures above a predetermined similarity amount.
  - 5. The method according to claim 4, wherein the node level similarity search comprises a comparison of node features of two tree structures using a similarity metric.
  - 6. The method according to claim 5, wherein the similarity metric comprises one of a Jaccardin Index and a weighted Jaccardian Index.
  - 7. The method according to claim 6, wherein the structural similarity search is executed using a tree edit distance metric based upon determining a number of deletions, insertions, or label renamings to transform a first tree into a second tree.
  - 8. The method according to claim 1, wherein each client tree structure is further compared with instance samples of one or more clickjacking schemes, each clickjacking scheme comprising coding that hides coding on a malicious website beneath apparently legitimate buttons, thereby tricking a user into clicking onto something different than perceived.
  - 9. The method according to claim 1, as embodied in a set of computer-readable instructions tangibly embodied on a non-transitive storage device.
  - 10. The method according to claim 9, wherein the non-transitive storage device comprises one of:
    - a memory device in a computer, as storing programs to be selectively executed by a processor on the computer;
      
      a memory device on the computer, as storing a program currently being executed by the processor;
      
      a memory device on a computer selectively connectable to a network, the computer configured to download the set of instructions onto a memory device on another computer in the network; and
      
      a standalone memory device that can be used to transfer the set of instructions into a memory device on a computer.

11. A method of deploying computer resources by provisioning a memory device in a server accessible via a network with a set of computer-readable instructions for a computer to execute a method of detecting exploit kits, wherein the method of detecting exploit kits comprises:
- receiving, at an input port of the computer, indication of HTTP (Hypertext Transfer Protocol) traffic;
  
  clustering, using the processor on the computer, the HTTP traffic into web session trees, each web session tree based on a portion of the traffic initiated by a different client IP (Internet Protocol) root request;
  
  generating a client tree structure for each web session tree, wherein each client tree structure comprises a respective root node that corresponds to the corresponding different client IP root request and to child nodes representing the corresponding portion of the traffic; and
  
  comparing each client tree structure with each of a plurality of tree structures of a plurality of exploit kit samples, wherein each of the tree structures comprises a set of other HTTP traffic that was caused when a client browser downloaded a malicious payload of one of the plurality of the exploit kit samples, and wherein the other HTTP traffic occurs within a time window starting with an initiating root request from the client browser and inclusive of multiple malicious requests to malicious servers caused by execution by the client browser of the malicious payload; and
  
  determining based on a similarity result from the comparison that a client browser corresponding to at least one of the client tree structures had previously downloaded a malicious payload of a corresponding exploit kit sample, wherein each of the exploit kit samples comprises malicious files with a pre-written exploit code to exploit vulnerabilities in one or more software applications.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, further comprising, responsive to at least one subtree of one of the client tree structures being determined to be similar to at least one subtree structure of at least one of the exploit kit samples within a predefined similarity value, classifying the at least one subtree as malicious.
  - 13. The method of claim 11, wherein the server one of:
    - executes the method of detecting exploit kits based on network data received from a local area network of computers for which the server serves as a network portal;
      
      receives a request from a computer via the network to execute the method of detecting exploit kits, receives data from the requesting computer to be processed by the method, and returns to the requesting computer a result of executing the method on the received data; and
      
      receives a request from a computer via the network to execute the method and transmits the set of computer-readable instructions to the requesting computer to itself execute the method of detecting exploit kits.
  - 14. The method of claim 11, wherein the server provides a service of executing the method of detecting exploit kits as a cloud service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HCL Technologies Limited
Original Assignee
HCL Technologies Limited
Inventors
Hu, Xin, Jang, Jiyong, Monrose, Fabian, Stoecklin, Marc Philippe, Taylor, Teryl, Wang, Ting
Primary Examiner(s)
Feild, Lynn D
Assistant Examiner(s)
McCoy, Richard A

Application Number

US15/344,791
Publication Number

US 20170054749A1
Time in Patent Office

1,191 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/2246   Trees, e.g. B+trees

G06F 16/245   Query processing

G06F 16/285   Clustering or classification

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04L 63/1491   using deception as counterm...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

Detecting web exploit kits by tree-based structural similarity search

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting web exploit kits by tree-based structural similarity search

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links