METHOD AND SYSTEM FOR DETERMINING A PROBABILITY OF ENTRY OF A COUNTERFEIT DOMAIN IN A BROWSER

US 20080092242A1
Filed: 10/16/2006
Published: 04/17/2008
Est. Priority Date: 10/16/2006
Status: Active Grant

First Claim

Patent Images

1. A method for determining a probability that a suspected domain name associated with a suspected domain, accessed using a universal resource locator (URL) entered as a character string into a browser associated with a client in a network environment, is a counterfeit of a legitimate domain name, the method comprising:

parsing a first character string entered into the browser, the first character string associated with the suspected domain name, to identify one or more predetermined characters in the suspected domain name having a known likelihood of being deceptively substituted for a corresponding one or more legitimate characters associated with the legitimate domain name;

generating an alternate domain name by substituting at least one of the one or more predetermined characters with the corresponding one or more legitimate characters; and

attempting to resolve an alternate domain associated with the alternate domain name,wherein if the alternate domain name is successfully resolved, a non-zero probability is assigned to the suspected domain name as being the counterfeit of the legitimate domain name.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide a method and system for determining a probability that a suspected domain name of a domain accessed using a universal resource locator (URL), which can be entered as a character string into a browser associated with a client in a net environment, is a counterfeit of a legitimate domain name. Characters in the suspected domain name can be identified as known as likely to be deceptively substituted for corresponding legitimate characters of a legitimate domain name. An alternate domain name is generated by substituting predetermined characters with the corresponding legitimate characters. An attempt can be made to resolve alternate domains of the alternate domain names. If the names are successfully resolved, a non-zero probability is assigned to the suspected domain name as being counterfeit.

Citations

20 Claims

1. A method for determining a probability that a suspected domain name associated with a suspected domain, accessed using a universal resource locator (URL) entered as a character string into a browser associated with a client in a network environment, is a counterfeit of a legitimate domain name, the method comprising:
- parsing a first character string entered into the browser, the first character string associated with the suspected domain name, to identify one or more predetermined characters in the suspected domain name having a known likelihood of being deceptively substituted for a corresponding one or more legitimate characters associated with the legitimate domain name;
  
  generating an alternate domain name by substituting at least one of the one or more predetermined characters with the corresponding one or more legitimate characters; and
  
  attempting to resolve an alternate domain associated with the alternate domain name,wherein if the alternate domain name is successfully resolved, a non-zero probability is assigned to the suspected domain name as being the counterfeit of the legitimate domain name.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, further comprising:
    - comparing information associated with a page retrieved from the suspected domain and corresponding information associated with a corresponding page retrieved from the alternate domain; and
      
      computing a similarity between the page and the corresponding page based on the comparison of the information and the corresponding information; and
      
      assigning a likelihood that the suspected domain is the counterfeit domain of the legitimate domain based on the computed similarity.
  - 3. The method of claim 1, wherein:
    - the comparing includes extracting the first hypertext markup language (HTML) text from the page of the suspected domain and second HTML text from the corresponding page of the alternate domain to generate respective first and second word lists; and
      
      the computing includes comparing word counts associated with the first and second word lists.
  - 4. The method of claim 1, wherein the assigned likelihood is increased if the suspected domain includes a request for input of information.
  - 5. The method of claim 1, wherein the assigned likelihood is increased if the suspected domain includes a request for input of a password.
  - 6. The method of claim 1, wherein the URL is entered as the character string into the browser associated with the client in the network environment through one of a manual entry from the keyboard and an automatic entry from a hyperlink.
  - 7. An apparatus configured to perform the method of claim 1.
  - 8. A computer readable medium containing instructions for causing a processor to perform the method of claim 1.

9. A method for determining a predetermined threat level of a suspected domain accessed using a universal resource locator (URL) including a suspected domain name entered as a character string into a browser associated with a client in a network environment, the threat level determined local to the client prior to access to the suspected domain, the method comprising:
- parsing a first character string entered into the browser, the first character string associated with the suspected domain name of the suspected domain; and
  
  assigning the predetermined threat level of the suspected domain name based on a locally-executed procedure that evaluates criteria associated with the first character string,wherein the predetermined threat level corresponds to a threat that the suspected domain is a counterfeit of a legitimate domain.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the locally-executed procedure includes:
    - as a first evaluation criteria, identifying a predetermined character in the first character string having a known likelihood of being deceptively substituted for a corresponding legitimate character associated with a legitimate domain name of the legitimate domain;
      
      generating an alternate domain name by substituting the predetermined character with the legitimate character;
      
      attempting to resolve an alternate domain associated with the alternate domain name; and
      
      assigning a first threat level as the predetermined threat level if the alternate domain name is successfully resolved.
  - 11. The method of claim 10, wherein the locally-executed procedure further includes:
    - as a second evaluation criteria, comparing information associated with a page of the suspected domain and corresponding information associated with a corresponding page of the alternate domain;
      
      computing a similarity between the page and the corresponding page based on the comparison of the information and the corresponding information; and
      
      assigning a second threat level as the predetermined threat level based on the computed similarity.
  - 12. The method of claim 11, wherein the locally-executed procedure further includes:
    - as a third evaluation criteria, determining whether the suspected domain includes a request for input of information including one or more of a username, a password, a credit card number, an account number, a date of birth, a social security number, and a full name; and
      
      assigning a third threat level as the predetermined threat level based on whether the suspected domain includes the request for input of information.
  - 13. The method of claim 11, wherein:
    - the comparing includes extracting first hypertext markup language (HTML) text from the page of the suspected domain and second HTML text from the corresponding page of the alternate domain to generate respective first and second word lists; and
      
      the computing includes comparing word counts associated with the first and second word lists.
  - 14. The method of claim 9, wherein the suspected domain name is entered as the character string into the browser associated with the client in the network environment through one of a manual entry from a keyboard and an automatic entry from a hyperlink.
  - 15. An apparatus configured to perform the method of claim 9.
  - 16. A computer readable medium containing instructions for causing a processor to perform the method of claim 9.

17. A client in a computer network having a domain name server (DNS), the client interacting with domains in the computer network, the client comprising:
- a network connection to the computer network; and
  
  a browser coupled to the network connection, the browser configured to;
  
  compare a first character string corresponding to a universal resource locator (URL) including a suspected domain name associated with a suspected domain in the computer network;
  
  determine an alternate domain associated with the suspected domain name by forming a second character string using a character substitution procedure;
  
  submit the first character string and a second character string to the DNS; and
  
  assign a first likelihood that the suspected domain is a counterfeit of an actual domain if the DNS can resolve the second character string associated with the alternate domain.
- View Dependent Claims (18, 19)
- - 18. The client of claim 17, wherein the browser is further configured to:
    - retrieve a first web page associated with first character string and the suspected domain and a second web page associated with the second character string and the alternate domain;
      
      compare the first web page and the second web page; and
      
      assign a second likelihood that the suspected domain is a counterfeit domain of the actual domain based on the comparison.
  - 19. The client of claim 17, further comprising a database, wherein the browser is further configured to store to the suspected web page and the determined probability that the suspected domain is the counterfeit domain.

20. An article of manufacture comprising:
- a computer readable medium; and
  
  instructions contained on the medium, the instructions readable by a processor for causing the processor to;
  
  detect a universal resource locator (URL) including a suspected domain name input in a browser, the URL having a suspected alphanumeric character string identifying the input suspected domain name;
  
  generate alternative alphanumeric character strings associated with alternate domain names by substituting non-standard characters appearing in the suspected alphanumeric character string with predetermined standard characters and resolving the resulting alternative domain names to determine if any of the alternate domain names can be successfully resolved; and
  
  assign a probability that the input suspected domain name is associated with a counterfeit domain if the any of the alternate domain names can be successfully resolved.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Rowley, Peter

Granted Patent

US 8,578,481 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

H04L 61/30   Managing network names, e.g...

H04L 61/4511   using domain name system [DNS]

H04L 63/1483   service impersonation, e.g....

METHOD AND SYSTEM FOR DETERMINING A PROBABILITY OF ENTRY OF A COUNTERFEIT DOMAIN IN A BROWSER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR DETERMINING A PROBABILITY OF ENTRY OF A COUNTERFEIT DOMAIN IN A BROWSER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links