Method and system for identifying network addresses associated with suspect network destinations
First Claim
1. A method for identifying a network address associated with a suspect network destination, the method comprising:
- collecting a set of Uniform Resource Locators (URLs), each URL in the set of URLs being associated with a suspect network destination;
segmenting each URL in the set of URLs into a set of component partsfor each URL in the set of URLs, classifying each component part in the set of component parts from that URL as one of a primary domain, a subdomain, and a page;
for each URL in the set of URLs, hashing each component part in the set of component parts from that URL to produce a hash value for that component part;
storing in a database the hash values of the component parts of the URLs in the set of URLs;
receiving a target URL to be analyzed;
segmenting the target URL into a set of component parts;
classifying each component part in the set of component parts from the target URL as one of a primary domain, a subdomain, and a page;
hashing each component part in the set of component parts from the target URL to produce a hash value for that component part;
comparing the hash values of the set of component parts from the target URL with the hash values stored in the database;
computing a score that indicates the extent to which the hash values of the set of component parts from the target URL match hash values stored in the database; and
taking corrective action, when the score satisfies a predetermined criterion, and wherein the predetermined criterion is that the score exceed a predetermined threshold.
9 Assignments
0 Petitions
Accused Products
Abstract
A method and system for identifying network addresses associated with suspect network destinations is described. One embodiment receives a target Uniform Resource Locator (URL) to be analyzed; segments the target URL into a set of component parts; classifies each component part in the set of component parts as a primary domain, a subdomain, or a page; hashes each component part in the set of component parts to produce a hash value for that component part; compares the hash values of the set of component parts from the target URL with hash values stored in a database, the hash values stored in the database having been obtained by segmenting, classifying, and hashing, in the same manner as the target URL, each of a set of URLs known to be associated with suspect network destinations; computing a score that indicates the extent to which the hash values of the set of component parts from the target URL match hash values stored in the database; and taking corrective action, when the score satisfies a predetermined criterion. In one embodiment, taking correction action includes notifying a user that the target URL is believed to be associated with a suspect network destination. In another embodiment, taking corrective action includes blocking a network connection between a computer and the network destination associated with the target URL.
-
Citations
20 Claims
-
1. A method for identifying a network address associated with a suspect network destination, the method comprising:
-
collecting a set of Uniform Resource Locators (URLs), each URL in the set of URLs being associated with a suspect network destination; segmenting each URL in the set of URLs into a set of component parts for each URL in the set of URLs, classifying each component part in the set of component parts from that URL as one of a primary domain, a subdomain, and a page; for each URL in the set of URLs, hashing each component part in the set of component parts from that URL to produce a hash value for that component part; storing in a database the hash values of the component parts of the URLs in the set of URLs; receiving a target URL to be analyzed; segmenting the target URL into a set of component parts; classifying each component part in the set of component parts from the target URL as one of a primary domain, a subdomain, and a page; hashing each component part in the set of component parts from the target URL to produce a hash value for that component part; comparing the hash values of the set of component parts from the target URL with the hash values stored in the database; computing a score that indicates the extent to which the hash values of the set of component parts from the target URL match hash values stored in the database; and taking corrective action, when the score satisfies a predetermined criterion, and wherein the predetermined criterion is that the score exceed a predetermined threshold. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for identifying a network address associated with a suspect network destination, the method comprising:
-
receiving a target Uniform Resource Locator (URL) to be analyzed; segmenting the target URL into a set of component parts; classifying each component part in the set of component parts from the target URL as one of a primary domain, a subdomain, and a page; hashing each component part in the set of component parts from the target URL to produce a hash value for that component part, the hash value having a classification that coincides with the classifying of that component part; comparing the hash values of the set of component parts from the target URL with hash values stored in a database, the hash values stored in the database having been obtained by segmenting, classifying, and hashing, in the same manner as the target URL, each of a set of URLs known to be associated with suspect network destinations; computing a score that indicates the extent to which the hash values of the set of component parts from the target URL match hash values stored in the database; and taking corrective action, when the score satisfies a predetermined criterion, and wherein the predetermined criterion is that the score exceed a predetermined threshold. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for identifying a network address associated with a suspect network destination, the system comprising:
-
a segmentation module configured to segment a target Uniform Resource Locator (URL) into a set of component parts; a classification module configured to classify each component part in the set of component parts as one of a primary domain, a subdomain, and a page; a hashing module configured to compute a hash value for each component part in the set of component parts; a database containing hash values obtained from a set of URLs known to be associated with suspect network destinations, each URL in the set of URLs having been segmented, classified, and hashed in a manner analogous to the target URL; a comparison module configured to; compare the hash values of the component parts in the set of component parts with hash values stored in the database; and compute a score that indicates the extent to which the hash values of the component parts in the set of component parts match hash values stored in the database; and a security module configured to take corrective action when the score satisfies a predetermined criterion, and wherein the predetermined criterion is that the score exceed a predetermined threshold. - View Dependent Claims (17, 18, 19, 20)
-
Specification