Systems and methods for identifying phishing web sites

US 10,708,302 B2
Filed: 07/26/2016
Issued: 07/07/2020
Est. Priority Date: 07/27/2015
Status: Active Grant

First Claim

Patent Images

1. A method for automatic detection of phishing websites, comprising:

monitoring network traffic;

detecting within the network traffic a sequence of network traffic events, wherein such sequence comprises;

an initial request from a network address to a first requested network address;

a first response to the initial request from the first requested network address at a first time; and

a second request from the network address to a second requested network address at a second time subsequent to the first time;

classifying the first requested network address as a potential phishing website;

wherein the classifying comprises;

determining that the second requested network address is not related to the first requested network address; and

determining that a time difference between the second time and the first time is smaller than a defined time value, wherein the defined time value is smaller than a time lapse between a change from one requested network address to another when such change is initiated by a human user; and

taking one or more protective measures in response to the classifying, wherein the one or more protective measures comprises blocking the first requested network address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for automatically detecting phishing attacks. Network traffic may be monitored to detected phishing attacks and/or identify phishing websites and/or target websites. The monitoring may comprise generating and analysing logs corresponding to the monitored network traffic, with the logs comprising network traffic events and/or information relating to requesting and responding addresses. The network traffic events used in detecting phishing attacks may comprise sequences each comprising one or more requests and responses. Requested websites may be identified as phishing websites based on event sequences meeting particular criteria. Components and/or functions utilized for monitoring the network traffic and/or automatic phishing detection based thereon may be implemented as parts of a browser and/or network routers utilized during typical and normal use operations.

Citations

20 Claims

1. A method for automatic detection of phishing websites, comprising:
- monitoring network traffic;
  
  detecting within the network traffic a sequence of network traffic events, wherein such sequence comprises;
  
  an initial request from a network address to a first requested network address;
  
  a first response to the initial request from the first requested network address at a first time; and
  
  a second request from the network address to a second requested network address at a second time subsequent to the first time;
  
  classifying the first requested network address as a potential phishing website;
  
  wherein the classifying comprises;
  
  determining that the second requested network address is not related to the first requested network address; and
  
  determining that a time difference between the second time and the first time is smaller than a defined time value, wherein the defined time value is smaller than a time lapse between a change from one requested network address to another when such change is initiated by a human user; and
  
  taking one or more protective measures in response to the classifying, wherein the one or more protective measures comprises blocking the first requested network address.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, comprising monitoring the network traffic using a log of network traffic events.
  - 3. The method of claim 2, wherein the log has a machine readable log format, and comprises network addresses of requested and/or responding sites.
  - 4. The method of claim 1, wherein the defined time value is smaller than 1 second, and preferably smaller than 0.1 seconds.
  - 5. The method of claim 1, wherein the second request is within a limited number of network events relative to the first time;
    - and comprisingclassifying the first requested network address as a potential phishing website based on a determination that the limited number of network events is smaller than a defined limit value.
  - 6. The method of claim 5, wherein the defined limit value is 5 or 3.

7. A method for protecting websites from phishing attacks, comprising:
- monitoring network traffic;
  
  detecting within the network traffic a request from a requesting network address to a target website;
  
  evaluating network events involving the requesting network address prior to the detected request to detect a request by the requesting network address to a website not related to the target website, wherein;
  
  the evaluating comprises obtaining time measurements that are independent of network latency;
  
  the evaluation is limited to network traffic events involving the requesting network address within a time window; and
  
  the time window is smaller than a time lapse between a change from one requested network address to another when such change is initiated by a human user;
  
  classifying the prior requested website as potential phishing website; and
  
  taking one or more protective measures in response to the classifying, wherein the one or more protective measures comprises blocking the prior requested website.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, comprising monitoring the network traffic using a log of network traffic events generated based on the network traffic.
  - 9. The method of claim 8, wherein the log has a machine readable log format, and comprises network addresses of requested and/or responding sites.
  - 10. The method of claim 7, wherein the evaluation is limited to network traffic events involving the requesting network address within a limited number of network traffic events in a sequence of network traffic events.
  - 11. The method of claim 10, wherein the limited number of network traffic events is 5 or 3.
  - 12. The method of claim 10, wherein the time window is smaller than 1 second, and preferably smaller than 0.1 seconds.

13. A system for the automated detection of phishing attacks, comprising:
- a network traffic monitor that monitors network traffic;
  
  a network flow correlator that detects within the network traffic a sequence of network traffic events, wherein such sequence comprises;
  
  an initial request from a network address to a first requested network address;
  
  a first response to the initial request from the first requested network address at a first time; and
  
  a second request from the network address to a second requested network address at a second time subsequent to the first time; and
  
  a website classifier that classifies the first requested network address as a potential phishing website;
  
  wherein the classifying comprises;
  
  a determination that the second requested network address is not related to the first requested network address, anda determination that a time difference between the second time and the first time is smaller than a defined time value, wherein the defined time value is smaller than a time lapse between a change from one requested network address to another when such change is initiated by a human user; and
  
  wherein the system takes one or more protective measures in response to the classifying, wherein the one or more protective measures comprises blocking the first requested network address.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13, wherein the network traffic monitor generates a log of network traffic events for use during monitoring the network traffic.
  - 15. The system of claim 14, wherein the log has a machine readable log format, and comprises network addresses of requested and/or responding sites.
  - 16. The system of claim 13, further comprising an address collector that collects addresses corresponding to requested and/or responding sites from one or more different sources.
  - 17. The system of claim 13, further comprising a pattern matching engine that identifies potential phishing addresses based on analysis of addresses in plaintext logs.
  - 18. The system of claim 13, further comprising a feature extractor that extracts and analyzes features of particular websites.
  - 19. The system of claim 18, wherein the feature extractor compares extracted features for a particular website with pre-stored website features to identify the particular website.
  - 20. The system of claim 13, wherein the second request is within a limited number of network events relative to the first time;
    - andwherein the website classifier classifies the first requested network address as a potential phishing website based on a determination that the limited number of network events is smaller than a defined limit value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Swisscom AG (Government of Switzerland)
Original Assignee
Swisscom AG (Government of Switzerland)
Inventors
Buergi, Ulrich, Angehrn, Florian
Primary Examiner(s)
Zarrineh, Shahriar

Application Number

US15/220,029
Publication Number

US 20170034211A1
Time in Patent Office

1,442 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1483   service impersonation, e.g....

Systems and methods for identifying phishing web sites

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for identifying phishing web sites

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links