Methods and apparatus to detect risks using application layer protocol headers
First Claim
Patent Images
1. A method to analyze network communications, the method comprising:
- extracting characteristics from a header of a received hypertext transport protocol (HTTP) request;
determining a length of a user agent field of the header as a first characteristic of the characteristics;
determining, via a processor, a first score as a first value when the length of the user agent field is less than a length threshold, wherein the first value indicates that the received HTTP request is more likely to be malware;
determining a second score corresponding to a second characteristic of the characteristics;
adding the first score and the second score to determine a combined score; and
indicating that the received HTTP request is malware when the combined score meets a threshold.
4 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatus, systems and articles of manufacture to detect risks using application protocol headers are disclosed. An example method includes extracting characteristics from a header of a received hypertext transport protocol (HTTP) request, determining a first score corresponding to a first characteristic of the characteristics, determining a second score corresponding to a second characteristic of the characteristics, adding the first score and the second score to determine a combined score, and indicating that the received HTTP request is malware when the combined score meets a threshold.
-
Citations
27 Claims
-
1. A method to analyze network communications, the method comprising:
-
extracting characteristics from a header of a received hypertext transport protocol (HTTP) request; determining a length of a user agent field of the header as a first characteristic of the characteristics; determining, via a processor, a first score as a first value when the length of the user agent field is less than a length threshold, wherein the first value indicates that the received HTTP request is more likely to be malware; determining a second score corresponding to a second characteristic of the characteristics; adding the first score and the second score to determine a combined score; and indicating that the received HTTP request is malware when the combined score meets a threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus to analyze network communications, the apparatus comprising:
-
a header extractor to extract characteristics from a header of a received hypertext transport protocol (HTTP) request, wherein a user agent field is a first characteristic of the characteristics; a score generator to determine a first score as a first value when a length of the user agent field is less than a length threshold, wherein the first value indicates that the received HTTP request is more likely to be malware, determine a second score corresponding to a second characteristic of the characteristics; adding the first score and the second score to determine a combined score; a combiner to add the first score and the second score to determine a combined score; and a risk detector to indicate that the received HTTP request is malware when the combined score meets a threshold, wherein at least one of the header extractor, the score generator, or the risk detector is implemented via a logic circuit. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A tangible computer readable storage medium including instructions that, when executed, cause a machine to at least:
-
extract characteristics from a header of a received hypertext transport protocol (HTTP) request, wherein a user agent field of the header is a first characteristic of the characteristics; determine a length of the user agent field of the header; determine a first score as a first value when the length of the user agent field is less than a length threshold, wherein the first value indicates that the received HTTP request is more likely to be malware; determine a second score corresponding to a second characteristic of the characteristics; add the first score and the second score to determine a combined score; and indicate that the received HTTP request is malware when the combined score meets a threshold. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification