Methods and systems for analyzing data related to possible online fraud
First Claim
1. A method of categorizing a web site as a possibly fraudulent web site, the method comprising:
- a computer accessing a set of data related to the web site, the set of data comprising data about a domain associated with the web sitethe computer dividing the set of data into a plurality of components, the plurality of components comprising an Internet Protocol (“
IP”
) address associated with the web site;
analyzing at least some of the plurality of components, wherein analyzing at least some of the plurality of components comprises;
identifying a proper domain identified by a uniform resource locator (“
URL”
) of the web site;
identifying an Internet Protocol (“
IP”
) block assigned to the proper domain; and
comparing the IP address of the web site with the IP block assigned to the proper domain;
assigning a score to each of the analyzed components, the score being based on an analysis of each of the analyzed components, such that a plurality of scores are assigned;
the computer self-tuning a weight given to each score according to an automatic feedback loop;
assigning a composite score to the set of data, the composite score being based on the plurality of scores and the weight given to each score; and
based on the composite score, categorizing the web site as a possibly fraudulent web site.
9 Assignments
0 Petitions
Accused Products
Abstract
Various embodiments of the invention provide methods, systems and software for analyzing data. In particular embodiments, for example, a set of data about a web site may be analyzed to determine whether the web site is likely to be illegitimate (e.g., to be involved in a fraudulent scheme, such as a phishing scheme, the sale of gray market goods, etc.). In an exemplary embodiment, a set of data may be divided into a plurality of components (each of which, in some cases, may be considered a separate data set). Merely by way of example, a set of data may comprise data gathered from a plurality of data sources, and/or each component may comprise data gathered from one of the plurality of data sources. As another example, a set of data may comprise a document with a plurality of sections, and each component may comprise one of the plurality of sections. Those skilled in the art will appreciate that the analysis of a particular component may comprise certain tests and/or evaluations, and that the analysis of another component may comprise different tests and/or evaluations. In other cases, the analysis of each component may comprise similar tests and/or evaluations. The variety of tests and/or evaluations generally will be implementation specific.
-
Citations
59 Claims
-
1. A method of categorizing a web site as a possibly fraudulent web site, the method comprising:
-
a computer accessing a set of data related to the web site, the set of data comprising data about a domain associated with the web site the computer dividing the set of data into a plurality of components, the plurality of components comprising an Internet Protocol (“
IP”
) address associated with the web site;analyzing at least some of the plurality of components, wherein analyzing at least some of the plurality of components comprises; identifying a proper domain identified by a uniform resource locator (“
URL”
) of the web site;identifying an Internet Protocol (“
IP”
) block assigned to the proper domain; andcomparing the IP address of the web site with the IP block assigned to the proper domain; assigning a score to each of the analyzed components, the score being based on an analysis of each of the analyzed components, such that a plurality of scores are assigned; the computer self-tuning a weight given to each score according to an automatic feedback loop; assigning a composite score to the set of data, the composite score being based on the plurality of scores and the weight given to each score; and based on the composite score, categorizing the web site as a possibly fraudulent web site. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of categorizing a web site, the method comprising:
-
a computer performing a plurality of tests on the web site, wherein performing a plurality of tests on the web site comprises; accessing a set of data comprising data about a domain associated with the web site, including an Internet Protocol (“
IP”
) address associated with the web site;identifying a proper domain identified by a uniform resource locator (“
URL”
) of the web site;identifying an Internet Protocol (“
IP”
) block assigned to the proper domain; andcomparing the IP address of the web site with the IP block assigned to the proper domain; the computer assigning a score based on each of the plurality of tests; the computer self-tuning a weight given to each score according to an automatic feedback loop; the computer assigning a composite score to the web site based on the scores for each of the plurality of tests and the weight given to each score; and the computer categorizing the web site based on the composite score. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A method of categorizing a domain as a possibly illegitimate domain, the method comprising:
-
a computer accessing a domain registration record associated with the domain; performing a plurality of tests with respect to the domain, wherein one of the plurality of tests comprises; identifying a web site associated with the domain; identifying an Internet Protocol (“
IP”
) address associated with the web site;identifying a proper domain identified by a uniform resource locator (“
URL”
) of the web site;identifying an Internet Protocol (“
IP”
) block assigned to the proper domain; andcomparing the IP address of the web site with the IP block assigned to the proper domain; for each of the plurality of tests, assigning a score to the domain, such that a plurality of scores are assigned to the domain; self-tuning a weight given to each score according to an automatic feedback loop; assigning a composite score to the domain, the composite score being based on the plurality of scores and the weight given to each score; and based on the composite score, categorizing the domain as a possibly illegitimate domain. - View Dependent Claims (32, 33, 34, 35, 36, 37)
-
-
38. A method of categorizing a web site as a possibly fraudulent web site, the method comprising:
-
identifying a uniform resource locator (“
URL”
) referencing a web site;(a) verifying with a computer that the web site referenced by the URL is active; (b) analyzing with the computer information about a domain referenced by the URL; (c) analyzing with the computer the format of the URL; (d) searching with the computer one or more sources that may indicate the web site is fraudulent; and based on a result of each of (a), (b) and (c), categorizing the web site referenced by the URL as a possibly fraudulent web site; wherein analyzing information about a domain referenced by the URL comprises; identifying an Internet Protocol (“
IP”
) address of the web site;identifying a proper domain identified by the URL; identifying an Internet Protocol (“
IP”
) block assigned to the proper domain; andcomparing the IP address of the web site with the IP block assigned to the proper domain. - View Dependent Claims (39, 40, 41, 42, 43, 44)
-
-
45. A method of categorizing a web site as a possibly fraudulent web site, wherein the web site comprises a web page, the method comprising:
-
analyzing with a computer a uniform resource locator (“
URL”
) referencing the web site;analyzing with the computer a server hosting the web site; searching with the computer one or more sources that may indicate the web site is fraudulent; analyzing the web page; and based on the analysis of the URL referencing the web site, the analysis of the server hosting the web site, and the analysis of the web page, categorizing the web site as a possibly fraudulent web site; wherein analyzing the server hosting the web site comprises; identifying an Internet Protocol (“
IP”
) address of the web site;identifying a proper domain identified by the URL; identifying an Internet Protocol (“
IP”
) block assigned to the proper domain; andcomparing the IP address of the web site with the IP block assigned to the proper domain. - View Dependent Claims (46, 47, 48, 49)
-
-
50. A computer system for categorizing a web site as a possibly fraudulent web site, the computer system comprising a processor and instructions executable by the processor to:
-
access a set of data related to the web site, the set of data comprising data about a domain associated with the web site divide the set of data into a plurality of components, the plurality of components comprising an Internet Protocol (“
IP”
) address associated with the web site;analyze at least some of the plurality of components, wherein the instructions executable to analyze at least some of the plurality of components comprises instructions executable by the processor to; identify a proper domain identified by a uniform resource locator (“
URL”
) of the web site;identify an Internet Protocol (“
IP”
) block assigned to the proper domain; andcompare the IP address of the web site with the IP block assigned to the proper domain; assign a score to each of the analyzed components, the score being based on an analysis of each of the analyzed components, such that a plurality of scores are assigned; self-tune a weight given to each score according to an automatic feedback loop; assign a composite score to the set of data, the composite score being based on the plurality of scores and the weight given to each score; and based on the composite score, categorize the web site as a possibly fraudulent web site.
-
-
51. A computer system for categorizing a web site, the computer system comprising a processor and instructions executable by the processor to:
-
perform a plurality of tests on the web site, wherein the instructions to perform a plurality of tests on the web site comprise instructions executable by the processor to; access a set of data comprising data about a domain associated with the web site, including an Internet Protocol (“
IP”
) address associated with the web site;identify a proper domain identified by a uniform resource locator (“
URL”
) of the web site;identify an Internet Protocol (“
IP”
) block assigned to the proper domain; andcompare the IP address of the web site with the IP block assigned to the proper domain; assign a score to each of the plurality of tests; self-tune a weight given to the score according to an automatic feedback loop; assign a composite score to the web site based on the scores for each of the plurality of tests; and categorize the web site based on the composite score.
-
-
52. A computer system for categorizing a domain as a possibly illegitimate domain, the computer system comprising a processor and instructions executable by the processor to:
-
access a domain registration; perform a plurality of tests with respect to the domain, wherein the instructions to perform a plurality of tests with respect to the domain comprise instructions executable by the processor to; identify a web site associated with the domain; identify an Internet Protocol (“
IP”
) address associated with the web site;identify a proper domain identified by a uniform resource locator (“
URL”
) of the web site;identify an Internet Protocol (“
IP”
) block assigned to the proper domain; andcompare the IP address of the web site with the IP block assigned to the proper domain; for each of the plurality of tests, assign a score to the domain, such that a plurality of scores are assigned to the domain; self-tune a weight given to each score according to an automatic feedback loop; assign a composite score to the domain, the composite score being based on the plurality of scores and the weight given to each score; and based on the composite score, categorize the domain as a possibly illegitimate domain.
-
-
53. A computer system for categorizing a web site as a possibly fraudulent web site, the computer system comprising a processor and instructions executable by the processor to:
-
identify a uniform resource locator (“
URL”
) referencing a web site;(a) verify that the web site referenced by the URL is active; (b) analyze information about a domain referenced by the URL; (c) analyze the format of the URL; (d) search one or more sources that may indicate the web site is fraudulent; and based on a result of each of (a), (b) and (c), categorize the web site referenced by the URL as a possibly fraudulent web site; wherein the instructions executable to analyze information about a domain referenced by the URL comprise instructions executable by the processor to; identify an Internet Protocol (“
IP”
) address of the web site;identify a proper domain identified by the URL; identify an Internet Protocol (“
IP”
) block assigned to the proper domain; andcompare the IP address of the web site with the IP block assigned to the proper domain.
-
-
54. A computer system for categorizing a web site as a possibly fraudulent web site, wherein the web site comprises a web page, the computer system comprising a processor and instructions executable by the processor to:
-
analyze a uniform resource locator (“
URL”
) referencing the web site;analyze a server hosting the web site; search one or more sources that may indicate the web site is fraudulent; analyze the web page; and based on the analysis of the URL referencing the web site, the analysis of the server hosting the web site, and the analysis of the web page, categorize the web site as a possibly fraudulent web site; wherein the instructions executable to analyze the server hosting the web site comprise instructions executable by the processor to; identify an Internet Protocol (“
IP”
) address of the web site;identify a proper domain identified by the URL; identify an Internet Protocol (“
IP”
) block assigned to the proper domain; andcompare the IP address of the web site with the IP block assigned to the proper domain.
-
-
55. A software program embodied on a computer readable storage medium, the software program comprising instructions executable by one or more computers to:
-
access a set of data related to the web site, the set of data comprising data about a domain associated with the web site divide the set of data into a plurality of components, the plurality of components comprising an Internet Protocol (“
IP”
) address associated with the web site;analyze at least some of the plurality of components, wherein the instructions executable to analyze at least some of the plurality of components comprises instructions executable by the one or more computers to; identify a proper domain identified by a uniform resource locator (“
URL”
) of the web site;identify an Internet Protocol (“
IP”
) block assigned to the proper domain; andcompare the IP address of the web site with the IP block assigned to the proper domain; assign a score to each of the analyzed components, the score being based on an analysis of each of the analyzed components, such that a plurality of scores are assigned; self-tune a weight given to each score according to an automatic feedback loop; assign a composite score to the set of data, the composite score being based on the plurality of scores and the weight given to each score; and based on the composite score, categorize the web site as a possibly fraudulent web site.
-
-
56. A software program embodied on a computer readable storage medium, the software program comprising instructions executable by one or more computers to:
-
perform a plurality of tests on the web site, wherein the instructions to perform a plurality of tests on the web site comprise instructions executable by the one or more computers to; access a set of data comprising data about a domain associated with the web site, including an Internet Protocol (“
IP”
) address associated with the web site;identify a proper domain identified by a uniform resource locator (“
URL”
) of the web site;identify an Internet Protocol (“
IP”
) block assigned to the proper domain; andcompare the IP address of the web site with the IP block assigned to the proper domain; assign a score to each of the plurality of tests; self-tune a weight given to the score according to an automatic feedback loop; assign a composite score to the web site based on the scores for each of the plurality of tests; and categorize the web site based on the composite score.
-
-
57. A software program embodied on a computer readable storage medium, the software program comprising instructions executable by one or more computers to:
-
access a domain registration; perform a plurality of tests with respect to the domain, wherein the instructions to perform a plurality of tests with respect to the domain comprise instructions executable by the one or more computers to; identify a web site associated with the domain; identify an Internet Protocol (“
IP”
) address associated with the web site;identify a proper domain identified by a uniform resource locator (“
URL”
) of the web site;identify an Internet Protocol (“
IP”
) block assigned to the proper domain; andcompare the IP address of the web site with the IP block assigned to the proper domain; for each of the plurality of tests, assign a score to the domain, such that a plurality of scores are assigned to the domain; self-tune a weight given to each score according to an automatic feedback loop; assign a composite score to the domain, the composite score being based on the plurality of scores and the weight given to each score; and based on the composite score, categorize the domain as a possibly illegitimate domain.
-
-
58. A software program embodied on a computer readable storage medium, the software program comprising instructions executable by one or more computers to:
-
identify a uniform resource locator (“
URL”
) referencing a web site;(a) verify that the web site referenced by the URL is active; (b) analyze information about a domain referenced by the URL; (c) analyze the format of the URL; (d) search one or more sources that may indicate the web site is fraudulent; and based on a result of each of (a), (b) and (c), categorize the web site referenced by the URL as a possibly fraudulent web site; wherein the instructions executable to analyze information about a domain referenced by the URL comprise instructions executable by the one or more computers to; identify an Internet Protocol (“
IP”
) address of the web site;identify a proper domain identified by the URL; identify an Internet Protocol (“
IP”
) block assigned to the proper domain; andcompare the IP address of the web site with the IP block assigned to the proper domain.
-
-
59. A software program embodied on a computer readable storage medium, the software program comprising instructions executable by one or more computers to:
-
analyze a uniform resource locator (“
URL”
) referencing a web site, wherein the web site comprises a web page;analyze a server hosting the web site; search one or more sources that may indicate the web site is fraudulent; analyze the web page; and based on the analysis of the URL referencing the web site, the analysis of the server hosting the web site, and the analysis of the web page, categorize the web site as a possibly fraudulent web site; wherein the instructions executable to analyze the server hosting the web site comprise instructions executable by the one or more computers to; identify an Internet Protocol (“
IP”
) address of the web site;identify a proper domain identified by the URL; identify an Internet Protocol (“
IP”
) block assigned to the proper domain; andcompare the IP address of the web site with the IP block assigned to the proper domain.
-
Specification