Method and apparatus for identifying phishing websites in network traffic using generated regular expressions

US 20090300768A1
Filed: 05/30/2008
Published: 12/03/2009
Est. Priority Date: 05/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, using a first regular expression for identifying a legitimate Internet domain name, whether a domain name of a URL associated with network traffic matches a legitimate Internet domain name of a target organization;

classifying the network traffic containing the URL as legitimate if the URL'"'"'s domain name matches the legitimate Internet domain name; and

if the URL is not classified as legitimate, quantifying how closely the URL matches a second regular expression for identifying an unacceptable URL of the target organization.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to an aspect of this invention, a method to detect phishing URLs involves: creating a whitelist of URLs using a first regular expression; creating a blacklist of URLs using a second regular expression; comparing a URL to the whitelist; and if the URL is not on the whitelist, comparing the URL to the blacklist. False negatives and positives may be avoided by classifying Internet domain names for the target organization as “legitimate”. This classification leaves a filtered set of URLs with unknown domain names which may be more closely examined to detect a potential phishing URL. Valid domain names may be classified without end-user participation.

123 Citations

20 Claims

1. A method comprising:
- determining, using a first regular expression for identifying a legitimate Internet domain name, whether a domain name of a URL associated with network traffic matches a legitimate Internet domain name of a target organization;
  
  classifying the network traffic containing the URL as legitimate if the URL'"'"'s domain name matches the legitimate Internet domain name; and
  
  if the URL is not classified as legitimate, quantifying how closely the URL matches a second regular expression for identifying an unacceptable URL of the target organization.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1 wherein the second regular expression comprises at least one structure found in a legitimate URL of a target organization.
  - 3. The method of claim 2 wherein the second regular expression comprises at least one structure which matches a structure in a legitimate URL of the target organization with a matching score greater than a first predetermined threshold.
  - 4. The method of claim 1 further comprising:
    - performing a function when network traffic that is not classified as legitimate matches the regular expression for identifying an unacceptable URL with a matching score greater than a first predetermined threshold.
  - 5. The method of claim 4 wherein the step of performing a function comprises delaying the network traffic from reaching its destination.
  - 6. The method of claim 4 wherein the step of performing a function comprises removing the network traffic from network circulation.
  - 7. The method of claim 4 wherein the step of performing a function comprises transmitting an indication that network traffic contains a URL which may be an unacceptable URL.
  - 8. The method of claim 7 further comprising:
    - receiving an indication that the URL which may be an unacceptable URL should be classified as an acceptable URL.
  - 9. The method of claim 8 wherein the step of receiving the indication comprises receiving an indication that a receiver of the network traffic clicked-through said URL.
  - 10. The method of claim 8 further comprising:
    - adding a domain name from the URL in the network traffic to a set of legitimate Internet domain names.
  - 11. The method of claim 1 wherein the Internet domain name comprises one of a domain name registered to a) the target organization, b) an approved advertising organization or c) an approved Internet search organization.
  - 12. The method of claim 11 further comprising:
    - designating an approved status for an advertising organization or an Internet search organization by one of a) a system administrator, b) an end-user, or c) a representative of the target organization.
  - 13. The method of claim 1 further comprising:
    - identifying an Internet domain name as a legitimate Internet domain name based on its being historically observed to be safe or its being tested as safe.
  - 14. The method of claim 13 wherein historical statistical records are maintained relating to activities of servers associated with a given domain name.
  - 15. The method of claim 14 wherein the historical statistical records related to clients who have interacted with the given domain name.
  - 16. The method of claim 13 wherein the domain name is tested as being safe by analyzing the structure of a web page associated with the domain name.
  - 17. The method of claim 16 wherein the structure of the web page is analyzed by analyzing domains that are pointed to by URLs embedded in the web page.
  - 18. The method of claim 1, further comprising:
    - analyzing at least one packet associated with the network traffic using deep packet inspection.

19. An apparatus comprising:
- means for determining, using a first regular expression for identifying a legitimate Internet domain name, whether a domain name of a URL associated with network traffic matches a legitimate Internet domain name of a target organization;
  
  means for classifying the network traffic containing the URL as legitimate if the URL'"'"'s domain name matches the legitimate Internet domain name; and
  
  means for quantifying how closely the URL matches a second regular expression for identifying an unacceptable URL of the target organization, if the URL is not classified as legitimate.

20. A computer readable medium encoded with computer executable instructions defining steps comprising:
- determining, using a first regular expression for identifying a legitimate Internet domain name, whether a domain name of a URL associated with network traffic matches a legitimate Internet domain name of a target organization;
  
  classifying the network traffic containing the URL as legitimate if the URL'"'"'s domain name matches the legitimate Internet domain name; and
  
  if the URL is not classified as legitimate, quantifying how closely the URL matches a second regular expression for identifying an unacceptable URL of the target organization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Ramachandran, Anirudh, Spatscheck, Oliver, Krishnamurthy, Balachander, Merwe, Jacobus Van Der

Granted Patent

US 8,307,431 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/10   for controlling access to d...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

Method and apparatus for identifying phishing websites in network traffic using generated regular expressions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

123 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for identifying phishing websites in network traffic using generated regular expressions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links