It is common practice for cybercriminals to prey on their victims by sending them malicious electronic messages such as emails, text messages (SMS, MMS . . . ) or instant messages (WhatsApp, WeChat, Line, Telegram . . . ). Such cyberthreats, which may employ phishing, ransomware or cryptominers, for example, often contain Uniform Resource Locators (URLs) embedded in the electronic messages. Responsive to such threats, security vendors have developed URL scanning technologies to detect and block malicious URLs, using a wide range of algorithms and technologies such as machine learning, text mining, sandboxing and/or computer vision techniques. Such URL scanning technologies have been quite successful in detecting these online cyberthreats. As a result, the cybercriminals' bottom lines have been negatively impacted. To protect their illicit revenue stream, cybercriminals responded by implementing mechanisms to identify and block these security vendors scanners.
A phishing kit is an electronic package that contains a complete phishing web site in an easy-to-deploy format. Phishing kits have evolved over time and have become increasingly complex. The most sophisticated phishing kits include techniques to thwart URL scanning technologies or any other suspect incoming Hyper Text Transfer Protocol (HTTP) connection. Typically, if the phishing kit detects a suspect incoming HTTP connection, instead of returning the phishing website content, the phishing kit may perform a defensive action to lure what could be potentially a URL scanning technology away from the malicious URL (in effect, saying “move along, nothing to see here!”). Herein, a defensive action may include one of the following:
The above list is not exhaustive and may also include any other defensive action performed by the phishing kit to prevent the potential URL scanning technology from accessing or learning of the very existence of a fraudulent phishing website.
Phishing kits may evaluate an incoming HTTP connection by analyzing features such as:
This list is also not exhaustive and may also include any other feature that may be directly or indirectly related to an incoming HTTP connection that the fraudster may consider germane to their evaluation of a suspect (e.g., URL scanning technology-containing) incoming HTTP connection. In this case, the suspect incoming HTTP connection may be a connection that originates or is sent on behalf of a security company. Using these and other techniques, cybercriminals attempt to limit access to their phishing website to only legitimate (real potential victims) and unsuspecting marks (such as the target recipients of the malicious electronic messages) and deny access to or redirect security companies away from the fraudulent phishing websites.
The above-listed features, which may be indicative of a URL scanning technology incoming HTTP connection, may be used by the cybercriminals who deployed the phishing kit to identify a security vendor or a security research organization, for the purposes of initiating some defensive action. Indeed, the connecting IP address may belong to one of the security companies. For instance, such IP addresses may be identified by matching the IP address of the incoming HTTP connection against a list of known IP ranges that belong to the aforementioned security companies. Alternatively, the identification of such IP addresses may be performed by comparing the reverse DNS of the connecting IP address with a list of domains or subdomains that belong to or are known to be used by security companies.
The User-Agent header is another feature that may be indicative of a connection performed by internet robots, scripts, automated software and the like, and that may give the incoming HTTP connection away as having originated by a security company.
The phishing kit containing the PHP code of
In combination, these features may also be used to enable cybercriminals to target a specific end-user type. Such targeting aims to ensure that the malicious phishing website content is returned only to the intended victims (who may be identified by matching a number of criteria) and to ensure that an error code is generated, or the incoming HTTP connection is redirected to a legitimate website otherwise. For example, the reverse DNS of the connecting IP address can be used to target end-users that connect with a specific ISP (Internet Service Provider such as Comcast, Cox, British Telecom, etc.) internet connection. Indeed, such ISPs are most often associated with consumer end-users, rather than commercial enterprises such as security companies. For example, specific combinations of features may be used to increase the probability that the incoming HTTP connection looks like it originated from an ISP customer, the intended phishing target. Such incoming HTTP connections from ISP customers may be granted access to the phishing website, while all other will be denied access thereto, either through redirection or through returning an error message.
The geolocation of the connecting IP may also be used to target end-users that connect from a specific country. IP address geolocation data may include information such as country, region, city, postal/zip code, latitude, longitude and time zone. Deeper data sets can determine other parameters such as domain name, connection speed, ISP, language, proxies, company name, US Designated Market Area/Metropolitan Statistical Area (DMA/MSA), North American Industry Classification System (NAICS) codes, and home/business. For example, and significantly with respect to embodiments, a phishing website that counterfeits a Japanese bank website may consider internet traffic coming from IP addresses geolocated outside of Japan to be suspect, as most Japanese customers of the Japanese bank (the phisher's intended victims) will customarily connect from an IP address geolocated in Japan.
The User-Agent header may also be used to target users of specific devices, operating systems and internet browsers, as the User-Agent value customarily contains this information. For example, the User-Agent header may be used in the context of a phishing that targets only iPhone users. The Accept-Language header may also be used to target end-users that use a specific language. For example, a phishing website that counterfeits a Japanese bank website may consider an incoming HTTP connection that includes an Accept-Language header that does not contain Japanese to be suspect and may deny that incoming connection access to the counterfeited website.
As a growing number of cybercriminals are implementing mechanisms to detect and defeat URL scanning technologies, as detailed above, a significant need has arisen to improve these existing URL scanning technologies so that they remain effective in protecting end-users by detecting and blocking cyberthreats.
As noted above, cyberthreats are often spread by inserting malicious URLs in electronic messages such as emails, text messages or instant messages that are sent to the potential victims. According to one embodiment, the electronic message and its context may be deconstructed and analyzed to yield a great deal of useful information that may be used to determine a set of parameters that are referred to herein as optimal scanning parameters for the analysis of the suspicious URL(s) it contains. Such optimal scanning parameters, according to one embodiment, may be used by a URL scanning service to scan the suspicious URLs without generating defensive actions; that is, while appearing to be one of the phishing site's intended victims.
Consider the phishing email shown in
From the foregoing, it is likely that this phishing attempt specifically targeted an Italian end-user. According to one embodiment, therefore, a successful scan of the URL(s) embedded in this email may be performed using:
Formalizing the language, let M denote an electronic message (including, but not limited to email, text, instant message, etc.) that contains at least one URL. Each such electronic message M may contain one or more URLs that may point the unsuspecting end-user to a malicious website. One or more of these embedded URLs may be selected for scanning. That is, a single one of the embedded URLs may be selected for scanning, more than one but fewer than all URLs may be selected for scanning or all of the URLs embedded in the electronic message may be selected for scanning. The expression UM={uM,1, . . . , uM,n} denotes the list of URLs selected in message M to scan. The list may be a singleton or may include more than one member.
The expression UM=SelectURLs(M) denotes a function that analyzes message M, extract URLs from M and selects from among the extracted URLs those URL(s) to scan. In one embodiment, the selected URLs may be a subset of the URLs contained in M so that only the most suspicious URL or URLs will be considered for scanning. Toward that end, a suspicion score may be computed to enable the selection of the most suspicious URL(s). According to one embodiment, different features and computer-implemented methods may be used in the computation of the suspicion score. For example, whether the URL under consideration is clickable is a significant feature that may associated with higher suspicion scores. The suspicion score may be computed using, for example, anomaly detection algorithms, supervised learning algorithms, Natural Language Processing algorithms and/or computer vision algorithms, to name but a few possibilities. URLs associated with a high reputation domain may be disregarded or assigned a lower suspicion score, as it is very unlikely that URLs whose domain has a high reputation are malicious. See (HighReputationDomains) below. It is to be noted, however, that URL-shortening services domains such as bit.ly or ow.ly, although well-known and arguably of high reputation, are frequently abused by cybercriminals.
A list of p features extracted from message M may be represented as FM={fM,1, . . . , fM,p}. The function FM=ComputeFeatures(M) extracts the features FM from the different components of M and, as necessary, processes the extracted data according to a selected method. According to one embodiment, the components of M that may be considered for extraction may include, for example, the sender of M, the recipient of M, the content of M and/or any other header or metadata associated with M.
The features may be computed from the extracted data through one or more of analyzing text content, querying DNS, querying WHOIS, querying an IP address geolocation database, applying Natural Language Processing, for example to identify the main language used in M and/or applying computer vision algorithm such as the Scale-Invariant Feature Transform (SIFT) or Oriented FAST and rotated BRIEF (ORB) feature detection algorithms, for example, to recognize and to extract a brand logo in M that is rendered as an image. WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format.
Considering again the example of
An alternative set of features, that mix categorical, discrete and continuous values, and that consider INPS as being one of many Italian brands, may include:
Features may be different for other type of messages, such as text messages and instant messages, as these messages may have different data available that may drive the selection of the features. This set of categorical, discrete and continuous features may be typically described by a feature vector.
Optimal scanning parameters may now be determined. According to one embodiment, optimal scanning parameters SPM={spM,1, . . . , spM,q} may be returned by a function SPM=DetermineSP(FM). Such optimal scanning parameters, according to one embodiment, may include one or more of the following parameters:
It is to be noted that some parameters are dependent on others, as an IP address may already have a geolocation, may already have an associated reverse DNS and may already have WHOIS information. The above list of optimal scanning parameters is not intended to be an all-inclusive list of such possible parameters, as those of skill in this art may recognize.
Below is an example of optimal scanning parameters:
In this case, the optimal scanning parameters include that the IP address is geolocated in Italy. Furthermore, the HTTP client advertises to the server that content should be delivered in Italian or alternatively in English, with respective q-value priorities of 0.9 and 0.8.
Here is another example of such optimal scanning parameters:
The optimal scanning parameters, in this case, include that the IP address reverse DNS includes the subdomain bbox.fr, that the User-Agent header indicates, among other details, a Chrome browser version 68.0.3440.106 running on an Intel Mac OS X 10.13.6 computer.
In this manner, the function SPM=DetermineSP(FM), according to one embodiment, determines optimal scanning parameters for message M. This function takes FM={fM,1, . . . , fM,p} features as an input and returns SPM={spM,1, . . . , spM,q} scanning parameters. According to one embodiment, this function may be or include an algorithm or a combination of algorithms such as, for example, a decision tree or a combination of decision trees and/or a neural network or a combination of neural networks and may be trained, for example, with Supervised Learning methods. See
In one embodiment, the function SPM=DetermineSP(FM) may, according to one embodiment, select optimal scanning parameters using a decision tree or a combination of decision trees. A decision tree consists of a set of nodes N and a set of edges E that form a rooted tree: it is a directed tree with a node called root that has no incoming edges. All other nodes have exactly one incoming edge. A node with outgoing edges is called an internal node or test node. All other nodes are called leaves or terminal nodes. The decision tree, according to one embodiment, may be configured to take FM features or a subset of FM features as an input such that each test node considers a subset of FM features and each terminal node outputs one or more spM,i scanning parameters. A decision tree may be constructed manually. Alternatively, a decision tree may be constructed programmatically in the context of Supervised Learning.
As shown, if the ccTLD is Italy, and the main language in the email body is Italian, the SPM scanning parameter IP address geolocation is Italy. If the main language in the email body is other than Italian, the IP address geolocation defaults, in this exemplary implementation, to USA. Similarly, if the ccTLD is France, and the main language in the email body is French, the SPM scanning parameter IP address geolocation is France. If the main language in the email body is other than French, the IP address geolocation defaults, in this decision tree, to USA. Likewise, if the ccTLD is other than Italy or France and the main language in the email body is Italian, the SPM scanning parameter IP address geolocation is Italy. If the ccTLD is other than Italy or France and the main language in the email body is French, the SPM scanning parameter IP address geolocation is France. If the ccTLD is other than Italy or France and the main language in the email body is other than Italian or French, the IP address geolocation defaults to USA in this example.
As shown in
It is to be understood that
In one embodiment, the function SPM=DetermineSP(FM) may, according to one embodiment, select optimal scanning parameters using a supervised learning algorithm with reverse engineering of phishing kits. Consider a pair (PM, PK) where PM is a phishing message and PK the phishing kit that is associated with the malicious URL contained in PM. A set of n such pairs {(PM1, PK1), . . . , (PMn, PKn)} is then collected. Consider now a Supervised Learning algorithm. For each pair (PMi, PKi), the Supervised Learning algorithm considers:
The supervised learning algorithm's task is to seek an optimal function g: X→Y that maps the input space X={FPM
For example, let's consider the pair (PM1, PK1) where:
A manual or programmatic reverse engineering of the source code of the phishing kit shows that:
For the pair (PM1, PK1), the Supervised Learning algorithm considers:
To train and test the Supervised Learning algorithm with accuracy, it is preferable to collect many more (PMi, PKi) pairs.
In one embodiment, the function SPM=DetermineSP(FM) may select optimal scanning parameters using a supervised learning algorithm where the optimal scanning parameters for the training of DetermineSP underlying the supervised learning model are determined using a TestScanURL(SPM, muM) function. The TestScanURL(SPM, muM) function, according to one embodiment, may be used during training of the DetermineSP function that selects the optimal scanning parameters. The TestScanURL(SPM, muM) function, according to one embodiment, is not used in any URL scanning technology or in any message service context, when an email is received, as its purpose is limited to train the DetermineSP function, as discussed in greater detail hereunder.
Consider a pair (M, SPM) where M is a message containing a malicious URL muM and SPM scanning parameters such that TestScanURL(SPM, muM) returns 1. A set of n training pairs of messages and optimal scanning parameters {(M1, SPM
The Supervised Learning algorithm's task is to seek an optimal function g: X→Y that maps the input space X={FM
For example, let's consider the pair (M1, SPM
For example, an exhaustive search of scanning parameters may be performed with TestScanURL to find SPM
Alternate methods may be used. For example, we may use FM
The function res=TestScanURL(SPM, uM,i), according to one embodiment, is a function that performs a HTTP GET request on URL uM,i with SPM scanning parameters to request data on the web resource pointed to by URL uM,i with SPM scanning parameters. Note that this function may follow any redirections it encounters, as there may be one or several redirections. A redirection can be performed in different ways (HTTP 3xx redirection such as HTTP 301 Moved Permanently, HTML meta refresh redirection, JavaScript redirection). This TestScanURL(SPM, uM,i) function returns a res value of 0 when a defensive action on the server side of the scanned URL is suspected and returns 1 otherwise. A defensive action, according to one embodiment, is suspected if and only if the HTTP GET request on the URL leads to one of the following results:
Redirection to an URL Whose Domain Belongs to HighReputationDomains
As noted above, there may be several redirections, and a redirection can be performed in different ways (HTTP 3xx redirection such as HTTP 301 Moved Permanently, HTML meta refresh redirection, JavaScript redirection). The construct HighReputationDomains may include a list of domain names that enjoy a high reputation, that are well-known and that are generally trusted. High reputation domain names may include, for example, search engine domains, social networks domains, financial services domains, ecommerce company domains, ISP domains and others. Accordingly, examples of HighReputationDomains include google.com, facebook.com, linkedin.com, wellsfargo.com, chase.com, paypal.com, amazon.com, orange.fr. Generally, domains belonging to an organization that is regularly targeted and counterfeited by cybercriminal by means of phishing, ransomware and the like, will be represented in the HighReputationDomains list. It is noted that this list may be generated automatically using, for example, technologies such as Google PageRank.
URL Rewriting
M′=RewriteURLs(M, USS, UM, SPM) is a function that, in one embodiment, rewrites URLs UM={uM,1, . . . , uM,n} in message M. The URL rewriting transforms a selected URL uM,i in message M to a rewritten URL u′M,i that will pose less danger to the end-user when he or she retrieves the rewritten message from his or her mailbox, opens the rewritten message and clicks on the rewritten URL contained therein. Indeed, the rewritten URL now points to a URL scanning service and not to the potentially malicious URL that was originally-contained in the message M. This function takes the following input parameters:
For each URL uM,i, the RewriteURLs(M, USS, UM, SPM) function computes a rewritten URL u′M,i such as:
Then, the RewriteURLs(M, USS, UM, SPM) function replaces each URL uM,i with the rewritten URL u′M,i.
Finally, the RewriteURLs(M, USS, UM, SPM) function returns the updated message M′ that contains the rewritten {u′M,1, . . . , u′M,n} URLs, which message M′ may then be stored in the end-user's mailbox for further use.
URL Rewriting Example
Here is an example of the RewriteURLs(M, USS, UM, SPM) in action, according to one embodiment. Let's consider the following exemplary values:
A rewriting of uM,i may be:
u′M,i=http://urlscanningservice.com/url/aHR0cDovL3d3dy51bmtub3duLmNvbS9pbmRleC5odG1s/geoip/dXNh
In this example, uM,i and SPM have been encoded and stored as parameters in the URL path:
It is to be noted that Base64 is only one of many possible formats into which the parameters may be encoded in the context of URL rewriting. URL rewriting is a popular technique in the context of message security to protect end-users against malicious links. Microsoft Office 365 ATP Safe Links, Mimecast URL Protect and Proofpoint URL Defense are examples of such implementations.
As shown in
Block B906 takes the FM output of B904; namely the features extracted from the electronic message M and computes optimal scanning parameters using, according to one embodiment, a function SPM=DetermineSP(FM). This function determines optimal scanning parameters for message M by taking FM={fM,1, . . . , fM,p} features as an input and returning SPM={spM,1, . . . , spM,q} optimal scanning parameters that may be used to scan one or more selected URLs in the electronic message. That is, if scanning of a suspected malicious or counterfeited website were to be performed using the aforementioned optimal scanning parameters, the webserver in question would be less likely to perform a defensive action and more likely to return the phishing website or webpage, thereby enabling its identification and enabling the security company to provide its customer with defenses thereagainst. According to one embodiment, such parameters may include, for example, an IP address used for scanning, the geolocation of the IP address used for scanning, a constraint on the reverse DNS of the IP address used for scanning, a constraint on the WHOIS of the IP address used for scanning, the value of HTTP User-Agent header, of the HTTP Referer header and/or the value of HTTP Accept-Language header. Other categorical, discrete and continuous values features may be returned, as disclosed herein. As noted above, the SPM=DetermineSP(FM) function may draw on decision tree techniques, neural network techniques, a combination thereof and may be trained with, for example, Supervised Learning techniques. The TestScanURL(SPM, muM) function, according to one embodiment, may have been previously used to determine the optimal scanning parameters used to train the DetermineSP(FM) function underlying supervised learning model.
As shown in B908, using the message M, one or more extracted and selected URLs UM, the optimal scanning parameters output by the DetermineSP(FM) function and the base URL USS for the URL to be rewritten, the RewriteURLs(M, USS, UM, SPM) function rewrites each suspicious URL uM,i in the message M and replaces it with the rewritten URL u′M,i in message M′. The message M′ with the rewritten URL u′M,i therein may be stored in the end-user's mailbox, as shown at block B910 in
As shown in
At B1106, the computed features may be input to the root node of the decision tree(s), a respective subset of the computed features may be evaluated at the internal node(s) and the optimal scanning parameters resulting from the output of the terminal node(s) of the decision tree(s) may be stored in the memory.
As shown in B1107, using the message M, one or more extracted and selected URLs UM={uM,1, . . . , uM,n}, the optimal scanning parameters output by the DetermineSP(FM) function and the base URL USS for the URL to be rewritten, suspicious URLs {uM,1, . . . , uM,n} in the message M may be rewritten (using the RewriteURLs(M, USS, UM, SPM) function described above, in one embodiment) and replaced with the rewritten URLs, {u′M,1, . . . , uM,n} in a modified message M′, which rewritten URLs comprises the base URL of the URL scanning service, an encoded version of the original URL uM,i as a first URL parameter and an encoded version of the optimal scanning parameters as a second URL parameter. Other parameters may be included, in addition to or in place of the aforementioned first and second URL parameters. As shown in B1108, the message M′ with the rewritten URLs {u′M,1, . . . , u′M,n} that comprises the encoded optimal scanning parameters may now be safely stored in the end-user's mailbox (such as his or her Microsoft 365 inbox, Google Gmail inbox, etc.). At this point, the computer-implemented method carried out in the message service ends. The rewritten URLs {u′M,1, . . . , u′M,n} in message M′, according to one embodiment, are safe for the user to click on, as these URLs points to the URL scanning service (as opposed to some potential malicious network resource such as a phishing website) and must be decoded by the URL scanning service before the original network resource to which it points may be resolved. However, none of the decoding and scanning occurs in the messaging service or endangers the user's confidential personal information.
Clicking on the rewritten, modified URL causes a request to be sent to the URL scanning service, together with encoded URL parameters including the encoded URL and the previously-determined and now encoded optimal scanning parameters. This request calls on the URL scanning service to retrieve the original URL by decoding the encoded URL from the first URL parameter as shown at B1308. As shown at B1310, the request also calls on the URL scanning service to retrieve the optimal scanning parameter passed to it by decoding the encoded optimal scanning parameters from the second URL parameter. Lastly, at B1312, the request initiated by the end-user clicking on the modified URL in message M′, calls on the URL scanning service to scan the retrieved original URL, through a selected proxy, using the retrieved optimal scanning parameters to determine the presence of a phishing website or other malicious network resource.
Scanning and requesting data from the website(s) pointed to by the decoded URL(s) may comprise performing a respective HTTP GET request on the website pointed to by each of the decoded URLs, using the optimal scanning parameters. The URL scanning service may then determine whether the scanned server is legitimate or is likely a phishing kit HTTP server. For example, data may be requested from the website(s) pointed to by the decoded URL(s) and this requested data may be analyzed to determine whether a defensive action is returned therefrom.
As shown, the storage device 1507 may include direct access data storage devices such as magnetic disks 1530, non-volatile semiconductor memories (EEPROM, Flash, etc.) 1532, a hybrid data storage device comprising both magnetic disks and non-volatile semiconductor memories, as suggested at 1531. References 1504, 1506 and 1507 are examples of tangible, non-transitory computer-readable media having data stored thereon representing sequences of instructions which, when executed by one or more computing devices, implement the optimal scanning parameter methods described and shown herein. Some of these instructions may be stored locally in a client computing device, while others of these instructions may be stored (and/or executed) remotely and communicated to the client computing over the network 1526. In other embodiments, all of these instructions may be stored locally in the client or other standalone computing device, while in still other embodiments, all of these instructions are stored and executed remotely (e.g., in one or more remote servers) and the results communicated to the client computing device. In yet another embodiment, the instructions (processing logic) may be stored on another form of a tangible, non-transitory computer readable medium, such as shown at 1528. For example, reference 1528 may be implemented as an optical (or some other storage technology) disk, which may constitute a suitable data carrier to load the instructions stored thereon onto one or more computing devices, thereby re-configuring the computing device(s) to one or more of the embodiments described and shown herein. In other implementations, reference 1528 may be embodied as an encrypted solid-state drive. Other implementations are possible.
Embodiments of the present invention are related to the use of computing devices to implement novel scanning of HTTP servers hosting phishing kits through the selection of optimal scanning parameters. Embodiments provide specific improvements to the functioning of computer systems by defeating mechanisms implemented by cybercriminals to detect and defeat URL scanning technologies. Using such improved computer system, URL scanning technologies may remain effective to protect end-users by detecting and blocking cyberthreats. According to one embodiment, the methods, devices and systems described herein may be provided by one or more computing devices in response to processor(s) 1502 executing sequences of instructions, embodying aspects of the computer-implemented methods shown and described herein, contained in memory 1504. Such instructions may be read into memory 1504 from another computer-readable medium, such as data storage device 1507 or another (optical, magnetic, etc.) data carrier, such as shown at 1528. Execution of the sequences of instructions contained in memory 1504 causes processor(s) 1502 to perform the steps and have the functionality described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions to implement the described embodiments. Thus, embodiments are not limited to any specific combination of hardware circuitry and software. Indeed, it should be understood by those skilled in the art that any suitable computer system may implement the functionality described herein. The computing devices may include one or a plurality of microprocessors working to perform the desired functions. In one embodiment, the instructions executed by the microprocessor or microprocessors are operable to cause the microprocessor(s) to perform the steps described herein. The instructions may be stored in any computer-readable medium. In one embodiment, they may be stored on a non-volatile semiconductor memory external to the microprocessor or integrated with the microprocessor. In another embodiment, the instructions may be stored on a disk and read into a volatile semiconductor memory before execution by the microprocessor.
Portions of the detailed description above describe processes and symbolic representations of operations by computing devices that may include computer components, including a local processing unit, memory storage devices for the local processing unit, display devices, and input devices. Furthermore, such processes and operations may utilize computer components in a heterogeneous distributed computing environment including, for example, remote file servers, computer servers, and memory storage devices. These distributed computing components may be accessible to the local processing unit by a communication network.
The processes and operations performed by the computer include the manipulation of data bits by a local processing unit and/or remote server and the maintenance of these bits within data structures resident in one or more of the local or remote memory storage devices. These data structures impose a physical organization upon the collection of data bits stored within a memory storage device and represent electromagnetic spectrum elements.
A process, such as the computer-implemented selection of optimal scanning parameters methods described and shown herein, may generally be defined as being a sequence of computer-executed steps leading to a desired result. These steps generally require physical manipulations of physical quantities. Usually, though not necessarily, these quantities may take the form of electrical, magnetic, or optical signals capable of being stored, transferred, combined, compared, or otherwise manipulated. It is conventional for those skilled in the art to refer to these signals as bits or bytes (when they have binary logic levels), pixel values, works, values, elements, symbols, characters, terms, numbers, points, records, objects, images, files, directories, subdirectories, or the like. It should be kept in mind, however, that these and similar terms should be associated with appropriate physical quantities for computer operations, and that these terms are merely conventional labels applied to physical quantities that exist within and during operation of the computer.
It should also be understood that manipulations within the computer are often referred to in terms such as adding, comparing, moving, positioning, placing, illuminating, removing, altering and the like. The operations described herein are machine operations performed in conjunction with various input provided by a human or artificial intelligence agent operator or user that interacts with the computer. The machines used for performing the operations described herein include local or remote general-purpose digital computers or other similar computing devices.
In addition, it should be understood that the programs, processes, methods, etc. described herein are not related or limited to any particular computer or apparatus nor are they related or limited to any particular communication network architecture. Rather, various types of general-purpose hardware machines may be used with program modules constructed in accordance with the teachings described herein. Similarly, it may prove advantageous to construct a specialized apparatus to perform the method steps described herein by way of dedicated computer systems in a specific network architecture with hard-wired logic or programs stored in nonvolatile memory, such as read only memory.
While certain example embodiments have been described, these embodiments have been presented by way of example only and are not intended to limit the scope of the embodiments disclosed herein. Thus, nothing in the foregoing description is intended to imply that any particular feature, characteristic, step, module, or block is necessary or indispensable. Indeed, the novel methods and systems described herein may be embodied in a variety of other forms; furthermore, various omissions, substitutions and changes in the form of the methods and systems described herein may be made without departing from the spirit of the embodiments disclosed herein.
Number | Name | Date | Kind |
---|---|---|---|
6285999 | Page | Sep 2001 | B1 |
7516488 | Kienzle | Apr 2009 | B1 |
8521667 | Zhu et al. | Aug 2013 | B2 |
9100406 | Liu | Aug 2015 | B2 |
9106694 | Aziz | Aug 2015 | B2 |
9178901 | Xue | Nov 2015 | B2 |
9398047 | Goutal | Jul 2016 | B2 |
9413774 | Liu et al. | Aug 2016 | B1 |
9596264 | Sandke et al. | Mar 2017 | B2 |
10397272 | Bruss | Aug 2019 | B1 |
20040260922 | Goodman et al. | Dec 2004 | A1 |
20060224359 | Ashcraft | Oct 2006 | A1 |
20070079379 | Sprosts et al. | Apr 2007 | A1 |
20070136806 | Berman | Jun 2007 | A1 |
20080256187 | Kay | Oct 2008 | A1 |
20090070873 | McAfee | Mar 2009 | A1 |
20110314546 | Aziz et al. | Dec 2011 | A1 |
20130333028 | Hagar | Dec 2013 | A1 |
20140181216 | Liebmann | Jun 2014 | A1 |
20140259158 | Brown | Sep 2014 | A1 |
20140298460 | Xue | Oct 2014 | A1 |
20150067833 | Verma | Mar 2015 | A1 |
20150067853 | Amrutkar | Mar 2015 | A1 |
20150288716 | Emigh et al. | Oct 2015 | A1 |
20160036971 | Velthuis | Feb 2016 | A1 |
20160378982 | Bae | Dec 2016 | A1 |
20170155666 | Seul et al. | Jan 2017 | A1 |
20170063893 | Franc | Mar 2017 | A1 |
20170078321 | Maylor | Mar 2017 | A1 |
20170085584 | Goutal | Mar 2017 | A1 |
20170272464 | Goutal | Sep 2017 | A1 |
20180007066 | Goutal | Jan 2018 | A1 |
20180139222 | Wan | May 2018 | A1 |
20180218155 | Grafi | Aug 2018 | A1 |
20180375877 | Jakobsson | Dec 2018 | A1 |
20190020625 | Wood | Jan 2019 | A1 |
20190020682 | Edwards | Jan 2019 | A1 |
20190199745 | Jakobsson | Jun 2019 | A1 |
20190260780 | Dunn | Aug 2019 | A1 |
20200067861 | Leddy | Feb 2020 | A1 |
Entry |
---|
Ziang, Guang et al., “CANTINA+: A Feature-rich Machine Learning Framework for Detecting Phishing Web Sites”, ACM Transactions on Information and System Security 14(2):21 ⋅ Sep. 2011, 32 pages. (Year: 2011). |
Truong, Nguyen Van et al., “Improving Performance Benchmark of Decision Tree Classifications for E-mail Spam Filtering”, International Journal of Engineering and Technical Research (IJETR), vol. 7, Issue-6, Jun. 2017, pp. 4-7. (Year: 2017). |
International Search Report and Written Opinion of the International Searching Authority dated Aug. 30, 2019 in PCT/US2019/029822. |
Invitation to Pay Additional Fees and, Where Applicable, Protest Fee in PCT/US2019/029822 dated Jun. 19, 2019. |
Uniform Resource Identifier (URI): Generic Syntax, T. Berners-Lee, Network Working Group, Jan. 2005. |
Large-Scale Automatic Classification of Phishing Pages, Colin Whittaker et al. |
Detecting Malicious URLs Using Machine Learning Techniques, Frank Vanhoenshoven et al., Conference Paper ⋅ Dec. 2016. |
Malicious URL Detection using Machine Learning: A Survey, Doyen Sahoo, Chenghao Liu, and Steven C.H. Hoi, arXiv:1701.07179v2 [cs.LG] Mar. 16, 2017. |
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites, Yue Zhang et al., WWW 2007, May 8-12, 2007, Banff, Alberta, Canada. ACM 978-1-59593-654-7/07/0005. |
PhishZoo: Detecting Phishing Websites by Looking at Them, Sadia Afroz et al., 2011 IEEE Fifth International Conference on Semantic Computing. |
There is No Free Phish: An Analysis of “Free” and Live Phishing Kits, Marco Cova, Christopher Kruegel, and Giovanni Vigna, Department of Computer Science, University of California, Santa Barbara, 2008. |
McCalley H., Wardman B., Warner G. (2011) Analysis of Back-Doored Phishing Kits. In: Peterson G., Shenoi S. (eds) Advances in Digital Forensics VII. DigitalForensics 2011. IFIP Advances in Information and Communication Technology, vol. 361. Springer, Berlin, Heidelberg. |
Phish in a Barrel Hunting and Analyzing Phishing Kits at Scale, Jordan Wright, © 2017 Duo Security, Inc. |
Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content, R. Fielding et al., Internet Engineering Task Force (IETF), Jun. 2004, ISSN: 2070-1721. |
Googlebot Wikipedia entry, downloaded Nov. 27, 2018. |
Apache HTTP Server Version 2.4 Apache HTTP Server Tutorial: .htaccess files, downloaded Nov. 27, 2018 from https://httpd.apache.org/docs/current/howto/htaccess.html. |
Domain Name System Structure and Delegation, J. Postel, Network Working Group, Mar. 1994. |
Domain Names—Implementation and Specification, P. Mockapetris, Network Working Group, Nov. 1987. |
WHOIS Protocol Specification, L. Daigle, Network Working Group, Sep. 2004. |
Object Recognition from Local Scale-Invariant Features, David G. Lowe, Proc. of the International Conference on Computer Vision, Corfu (Sep. 1999). |
ORB: an efficient alternative to SIFT or SURF, Ethan Rublee et al. 2011 International Conference on Computer Vision. |
Chapter 9, Classification Trees, Lior Rokach et al., O. Maimon, L. Rokach (eds.), Data Mining and Knowledge Discovery Handbook, 2nd ed., DOI 10.1007/978-0-387-09823-4_9, © Springer Science+Business Media, LLC 2010. |
Graphs and Subgraphs, J. A. Bondy and U. S. R. Murty,® J.A. Bondy and V.S.R. Muny 1976, ISBN O˜444-19451. |
Reinhard Diestel, Graph Theory, (X) Springer-Verlaf Heidelberg, New-York 1997, 2000, 2005, Section 1.5 Tree and Forests. |
Induction of Decision Trees, J.R. Quinlan, Machine Learning 1: 81-106, 1986 © 1986 Kluwer Academic Publishers, Boston. |
An Introduction to Classification and Regression Tree (CART) Analysis, Roger J. Lewis, M.D., Ph.D., Presented at the 2000 Annual Meeting of the Society for Academic Emergency Medicine in San Francisco, California. |
Artificial Intelligence: A Modern Approach, Peter Norvig and Stuart J. Russell, section 18.3 Learning Decision Trees, p. 697, 2009. |
Hypertext Transfer Protocol—HTTP/1.0, T. Berners-Lee, Network Working Group, May 1996. |
Wikipedia entry for Proxy Server, downloaded Nov. 27, 2018. |
Identifying Suspicious URLs: An Application of Large-Scale Online Learning, Justin Ma, Proceedings of the 26 th International Conference on Machine Learning, Montreal, Canada, 2009. |
Malicious URL Detection by Dynamically Mining Patterns without Predetermined Elements, Da Huang et al. a Masters Thesis, School of Computing Science Faculty of Applied Sciences (c) Da Huang 2012 Simon Fraser University Spring 2012. |
Chandrasekaran, M., Narayanan, M. and Upadhyaya, S. (2006) Phishing Email Detection Based on Structural Properties. Proceedings of 9th Annual NYS Cyber Security Conference, Albany, Jun. 14, 2006, 2-8. |
Improved phishing detection using model-based features, André Bergholz, Fifth Conference on Email and Anti-Spam, CEAS (2008). |
Office 365 Advanced Threat Protection, Product Guide, © 2016 Microsoft. |
Office 365 ATP Safe Links, Feb. 10, 2019. |
Mimecast Targeted Threat Protection, URL Protect, www.mimecast.com | © 2015 Mimecast, SEC-DS-289-001. |
Proofpoint Essentials URL Defense Advanced Protection with Proofpoint's Targeted Attack Protection. |
What is URL Defense? How to Enable it? How does it work? Proofpoint Essentials Knowledgebase. |