Method and apparatus for identifying phishing websites in network traffic using generated regular expressions
First Claim
1. A method comprising:
- determining, using a first regular expression for identifying a legitimate Internet domain name, whether a domain name of a URL associated with network traffic matches a legitimate Internet domain name of a target organization;
classifying the network traffic containing the URL as legitimate if the URL'"'"'s domain name matches the legitimate Internet domain name; and
if the URL is not classified as legitimate, quantifying how closely the URL matches a second regular expression for identifying an unacceptable URL of the target organization.
1 Assignment
0 Petitions
Accused Products
Abstract
According to an aspect of this invention, a method to detect phishing URLs involves: creating a whitelist of URLs using a first regular expression; creating a blacklist of URLs using a second regular expression; comparing a URL to the whitelist; and if the URL is not on the whitelist, comparing the URL to the blacklist. False negatives and positives may be avoided by classifying Internet domain names for the target organization as “legitimate”. This classification leaves a filtered set of URLs with unknown domain names which may be more closely examined to detect a potential phishing URL. Valid domain names may be classified without end-user participation.
123 Citations
20 Claims
-
1. A method comprising:
-
determining, using a first regular expression for identifying a legitimate Internet domain name, whether a domain name of a URL associated with network traffic matches a legitimate Internet domain name of a target organization; classifying the network traffic containing the URL as legitimate if the URL'"'"'s domain name matches the legitimate Internet domain name; and if the URL is not classified as legitimate, quantifying how closely the URL matches a second regular expression for identifying an unacceptable URL of the target organization. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An apparatus comprising:
-
means for determining, using a first regular expression for identifying a legitimate Internet domain name, whether a domain name of a URL associated with network traffic matches a legitimate Internet domain name of a target organization; means for classifying the network traffic containing the URL as legitimate if the URL'"'"'s domain name matches the legitimate Internet domain name; and means for quantifying how closely the URL matches a second regular expression for identifying an unacceptable URL of the target organization, if the URL is not classified as legitimate.
-
-
20. A computer readable medium encoded with computer executable instructions defining steps comprising:
-
determining, using a first regular expression for identifying a legitimate Internet domain name, whether a domain name of a URL associated with network traffic matches a legitimate Internet domain name of a target organization; classifying the network traffic containing the URL as legitimate if the URL'"'"'s domain name matches the legitimate Internet domain name; and if the URL is not classified as legitimate, quantifying how closely the URL matches a second regular expression for identifying an unacceptable URL of the target organization.
-
Specification