Identifying malicious web infrastructures

US 9,571,518 B2
Filed: 03/06/2015
Issued: 02/14/2017
Est. Priority Date: 03/06/2015
Status: Expired due to Fees

First Claim

Patent Images

1. A computer system for identifying malicious servers, the computer system comprising:

a bus system;

a storage device connected to the bus system, wherein the storage device stores program instructions; and

a processor connected to the bus system, wherein the processor executes the program instructions to;

search a set of server domain name white lists to determine whether a server in a plurality of identified servers within a network is listed in the set of server domain name white lists;

query a set of search engines to determine whether the server in the plurality of identified servers within the network is listed in a server domain name search result;

identify the server as an invisible server and add the server to an invisible server list in response to determining that the server in the plurality of identified servers within the network is not listed in the set of server domain name white lists and not listed in the server domain name search result;

identify the server in the plurality of identified servers as a visible server and add the server to a visible server list in response to determining that the server in the plurality of identified servers within the network is listed in at least one of the set of server domain name white lists and the server domain name search result;

place each server in the plurality of identified servers within the network in a bipartite graph based on locating each server in one of the visible server list or the invisible server list;

determine malicious edges between server vertices corresponding to visible servers and invisible servers involved in network traffic redirection chains based on determined graph-based features within a bipartite graph corresponding to visible and invisible server vertices involved in the network traffic redirection chains and determined distance-based features corresponding to the invisible server vertices involved in the network traffic redirection chains;

identify malicious server vertices in the bipartite graph based on the determined malicious edges between the server vertices corresponding to the visible servers and invisible servers involved in the network traffic redirection chains; and

block access by client devices to malicious servers corresponding to the identified malicious server vertices in the bipartite graph.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Identifying malicious servers is provided. Malicious edges between server vertices corresponding to visible servers and invisible servers involved in network traffic redirection chains are determined based on determined graph-based features within a bipartite graph corresponding to invisible server vertices involved in the network traffic redirection chains and determined distance-based features corresponding to the invisible server vertices involved in the network traffic redirection chains. Malicious server vertices are identified in the bipartite graph based on the determined malicious edges between the server vertices corresponding to the visible servers and invisible servers involved in the network traffic redirection chains. Access by client devices is blocked to malicious servers corresponding to the identified malicious server vertices in the bipartite graph.

13 Citations

View as Search Results

8 Claims

1. A computer system for identifying malicious servers, the computer system comprising:
- a bus system;
  
  a storage device connected to the bus system, wherein the storage device stores program instructions; and
  
  a processor connected to the bus system, wherein the processor executes the program instructions to;
  
  search a set of server domain name white lists to determine whether a server in a plurality of identified servers within a network is listed in the set of server domain name white lists;
  
  query a set of search engines to determine whether the server in the plurality of identified servers within the network is listed in a server domain name search result;
  
  identify the server as an invisible server and add the server to an invisible server list in response to determining that the server in the plurality of identified servers within the network is not listed in the set of server domain name white lists and not listed in the server domain name search result;
  
  identify the server in the plurality of identified servers as a visible server and add the server to a visible server list in response to determining that the server in the plurality of identified servers within the network is listed in at least one of the set of server domain name white lists and the server domain name search result;
  
  place each server in the plurality of identified servers within the network in a bipartite graph based on locating each server in one of the visible server list or the invisible server list;
  
  determine malicious edges between server vertices corresponding to visible servers and invisible servers involved in network traffic redirection chains based on determined graph-based features within a bipartite graph corresponding to visible and invisible server vertices involved in the network traffic redirection chains and determined distance-based features corresponding to the invisible server vertices involved in the network traffic redirection chains;
  
  identify malicious server vertices in the bipartite graph based on the determined malicious edges between the server vertices corresponding to the visible servers and invisible servers involved in the network traffic redirection chains; and
  
  block access by client devices to malicious servers corresponding to the identified malicious server vertices in the bipartite graph.

2. A computer program product for identifying malicious servers, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method comprising:
- searching, by the computer, a set of server domain name white lists to determine whether a server in a plurality of identified servers within a network is listed in the set of server domain name white lists;
  
  querying, by the computer, a set of search engines to determine whether the server in the plurality of identified servers within the network is listed in a server domain name search result;
  
  responsive to the computer determining that the server in the plurality of identified servers within the network is not listed in the set of server domain name white lists and not listed in the server domain name search result, identifying, by the computer, the server as an invisible server and adding, by the computer, the server to an invisible server list;
  
  responsive to the computer determining that the server in the plurality of identified servers within the network is listed in at least one of the set of server domain name white lists and the server domain name search result, identifying, by the computer, the server in the plurality of identified servers as a visible server and adding, by the computer, the server to a visible server list;
  
  placing, by the computer, each server in the plurality of identified servers within the network in a bipartite graph based on locating each server in one of the visible server list or the invisible server list;
  
  determining, by the computer, malicious edges between server vertices corresponding to visible servers and invisible servers involved in network traffic redirection chains based on determined graph-based features within the bipartite graph corresponding to visible and invisible server vertices involved in the network traffic redirection chains and determined distance-based features corresponding to the invisible server vertices involved in the network traffic redirection chains;
  
  identifying, by the computer, malicious server vertices in the bipartite graph based on the determined malicious edges between the server vertices corresponding to the visible servers and invisible servers involved in the network traffic redirection chains; and
  
  blocking, by the computer, access by client devices to malicious servers corresponding to the identified malicious server vertices in the bipartite graph.
- View Dependent Claims (3, 4, 5, 6, 7, 8)
- - 3. The computer program product of claim 2 further comprising:
    - inputting, by the computer, the determined graph-based features within the bipartite graph corresponding to the invisible server vertices involved in the network traffic redirection chains and the determined distance-based features corresponding to the invisible server vertices involved in the network traffic redirection chains into a machine learning classifier.
  - 4. The computer program product of claim 3, wherein the determined graph-based features are out-degree, in-degree, and a ratio between out-degree and in-degree for each invisible server involved in a network traffic redirection chain.
  - 5. The computer program product of claim 3, wherein the determined distance-based features are distance between IP address numbers of each of the invisible servers, difference in domain name registration information between each of the invisible servers, and distance in physical location between each of the invisible servers.
  - 6. The computer program product of claim 2 further comprising:
    - assigning, by the computer, a first malicious score of one to each server in the plurality of identified servers within the network previously identified as a malicious server and assigning, by the computer, a second malicious score of zero to other servers in the plurality of identified servers not previously identified as malicious.
  - 7. The computer program product of claim 6 further comprising:
    - generating, by the computer, a visibility score for those invisible servers identified as malicious.
  - 8. The computer program product of claim 7 further comprising:
    - adding, by the computer, the assigned malicious score and the generated visibility score to corresponding server vertices within a server network traffic propagation chain graph; and
      
      propagating, by the computer, the assigned malicious score and the generated visibility score of a corresponding server vertex to neighboring server vertices within the server network traffic propagation chain graph.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hu, Xin, Jang, Jiyong, Wang, Ting, Zhang, Jialong
Primary Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US14/640,658
Publication Number

US 20160261626A1
Time in Patent Office

711 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/1475   Passive attacks, e.g. eaves...

Identifying malicious web infrastructures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

8 Claims

Specification

Use Cases

Quick Links

Others

Identifying malicious web infrastructures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

8 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others