Systems and methods for identifying phishing web sites
First Claim
1. A method for automatic detection of phishing websites, comprising:
- monitoring network traffic;
detecting within the network traffic a sequence of network traffic events, wherein such sequence comprises;
an initial request from a network address to a first requested network address;
a first response to the initial request from the first requested network address at a first time; and
a second request from the network address to a second requested network address at a second time subsequent to the first time;
classifying the first requested network address as a potential phishing website;
wherein the classifying comprises;
determining that the second requested network address is not related to the first requested network address; and
determining that a time difference between the second time and the first time is smaller than a defined time value, wherein the defined time value is smaller than a time lapse between a change from one requested network address to another when such change is initiated by a human user; and
taking one or more protective measures in response to the classifying, wherein the one or more protective measures comprises blocking the first requested network address.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are provided for automatically detecting phishing attacks. Network traffic may be monitored to detected phishing attacks and/or identify phishing websites and/or target websites. The monitoring may comprise generating and analysing logs corresponding to the monitored network traffic, with the logs comprising network traffic events and/or information relating to requesting and responding addresses. The network traffic events used in detecting phishing attacks may comprise sequences each comprising one or more requests and responses. Requested websites may be identified as phishing websites based on event sequences meeting particular criteria. Components and/or functions utilized for monitoring the network traffic and/or automatic phishing detection based thereon may be implemented as parts of a browser and/or network routers utilized during typical and normal use operations.
-
Citations
20 Claims
-
1. A method for automatic detection of phishing websites, comprising:
-
monitoring network traffic; detecting within the network traffic a sequence of network traffic events, wherein such sequence comprises; an initial request from a network address to a first requested network address; a first response to the initial request from the first requested network address at a first time; and a second request from the network address to a second requested network address at a second time subsequent to the first time; classifying the first requested network address as a potential phishing website; wherein the classifying comprises; determining that the second requested network address is not related to the first requested network address; and determining that a time difference between the second time and the first time is smaller than a defined time value, wherein the defined time value is smaller than a time lapse between a change from one requested network address to another when such change is initiated by a human user; and taking one or more protective measures in response to the classifying, wherein the one or more protective measures comprises blocking the first requested network address. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for protecting websites from phishing attacks, comprising:
-
monitoring network traffic; detecting within the network traffic a request from a requesting network address to a target website; evaluating network events involving the requesting network address prior to the detected request to detect a request by the requesting network address to a website not related to the target website, wherein; the evaluating comprises obtaining time measurements that are independent of network latency; the evaluation is limited to network traffic events involving the requesting network address within a time window; and the time window is smaller than a time lapse between a change from one requested network address to another when such change is initiated by a human user; classifying the prior requested website as potential phishing website; and taking one or more protective measures in response to the classifying, wherein the one or more protective measures comprises blocking the prior requested website. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system for the automated detection of phishing attacks, comprising:
-
a network traffic monitor that monitors network traffic; a network flow correlator that detects within the network traffic a sequence of network traffic events, wherein such sequence comprises; an initial request from a network address to a first requested network address; a first response to the initial request from the first requested network address at a first time; and a second request from the network address to a second requested network address at a second time subsequent to the first time; and a website classifier that classifies the first requested network address as a potential phishing website;
wherein the classifying comprises;a determination that the second requested network address is not related to the first requested network address, and a determination that a time difference between the second time and the first time is smaller than a defined time value, wherein the defined time value is smaller than a time lapse between a change from one requested network address to another when such change is initiated by a human user; and wherein the system takes one or more protective measures in response to the classifying, wherein the one or more protective measures comprises blocking the first requested network address. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification