Method and Apparatus for Identifying Phishing Websites in Network Traffic Using Generated Regular Expressions
1 Assignment
0 Petitions
Accused Products
Abstract
According to an aspect of this invention, a method to detect phishing URLs involves: creating a whitelist of URLs using a first regular expression; creating a blacklist of URLs using a second regular expression; comparing a URL to the whitelist; and if the URL is not on the whitelist, comparing the URL to the blacklist. False negatives and positives may be avoided by classifying Internet domain names for the target organization as “legitimate”. This classification leaves a filtered set of URLs with unknown domain names which may be more closely examined to detect a potential phishing URL. Valid domain names may be classified without end-user participation.
-
Citations
40 Claims
-
1-20. -20. (canceled)
-
21. A method comprising:
-
determining by a network node, using a first regular expression for identifying a legitimate internet domain name, whether a domain name of a uniform resource locator associated with network traffic matches a legitimate internet domain name of a target organization; classifying network traffic containing the uniform resource locator as legitimate if the uniform resource locator'"'"'s domain name matches the legitimate internet domain name; if the network traffic containing the uniform resource locator is not classified as legitimate, quantifying by the network node how closely the uniform resource locator matches a second regular expression for identifying an unacceptable uniform resource locator of the target organization, the second regular expression different from the first regular expression; and performing a function when network traffic containing the uniform resource locator that is not classified as legitimate matches the second regular expression for identifying an unacceptable uniform resource locator with a matching score greater than a first predetermined threshold, the function comprising delaying the network traffic from reaching its destination and transmitting an indication that the network traffic contains a uniform resource locator which may be an unacceptable uniform resource locator. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. An apparatus comprising:
-
a processor; and a memory communicatively coupled to the processor, the memory to store computer program instructions, the computer program instructions when executed on the processor cause the processor to perform operations comprising; determining, using a first regular expression for identifying a legitimate internet domain name, whether a domain name of a uniform resource locator associated with network traffic matches a legitimate internet domain name of a target organization; classifying network traffic containing the uniform resource locator as legitimate if the uniform resource locator'"'"'s domain name matches the legitimate internet domain name; if the network traffic containing the uniform resource locator is not classified as legitimate, quantifying how closely the uniform resource locator matches a second regular expression for identifying an unacceptable uniform resource locator of the target organization, the second regular expression different from the first regular expression; and performing a function when network traffic containing the uniform resource locator that is not classified as legitimate matches the second regular expression for identifying an unacceptable uniform resource locator with a matching score greater than a first predetermined threshold, the function comprising delaying the network traffic from reaching its destination and transmitting an indication that the network traffic contains a uniform resource locator which may be an unacceptable uniform resource locator. - View Dependent Claims (36, 37)
-
-
38. A computer readable medium storing computer program instructions, the computer program instructions when executed on a processor cause the processor to perform operations comprising:
-
a processor; and a memory communicatively coupled to the processor, the memory to store computer program instructions, the computer program instructions when executed on the processor cause the processor to perform operations comprising; determining, using a first regular expression for identifying a legitimate internet domain name, whether a domain name of a uniform resource locator associated with network traffic matches a legitimate internet domain name of a target organization; classifying network traffic containing the uniform resource locator as legitimate if the uniform resource locator'"'"'s domain name matches the legitimate internet domain name; if the network traffic containing the uniform resource locator is not classified as legitimate, quantifying how closely the uniform resource locator matches a second regular expression for identifying an unacceptable uniform resource locator of the target organization, the second regular expression different from the first regular expression; and performing a function when network traffic containing the uniform resource locator that is not classified as legitimate matches the second regular expression for identifying an unacceptable uniform resource locator with a matching score greater than a first predetermined threshold, the function comprising delaying the network traffic from reaching its destination and transmitting an indication that the network traffic contains a uniform resource locator which may be an unacceptable uniform resource locator. - View Dependent Claims (39, 40)
-
Specification