| 发明名称 | System to identify machines infected by malware applying linguistic analysis to network requests from endpoints | ||
| 摘要 | A method to identify machines infected by malware is provided. The method includes determining whether a universal resource locator in a network request is present in a first cache and determining whether a fully qualified domain name from the uniform resource locator is present in a second cache. The method includes evaluating a parent hostname as to suspiciousness. The method includes indicating the computing device has a likelihood of infection, responsive to one of: the universal resource locator being present in the first cache with a first indication of suspiciousness, the fully qualified domain name being present in the second cache with a second indication of suspiciousness, or the evaluating the parent hostname having a third indication of suspiciousness, wherein at least one method operation is performed by the processor. A system and computer readable media are provided. | ||
| 申请公布号 | US9419986(B2) | 申请公布日期 | 2016.08.16 |
| 申请号 | US201414226626 | 申请日期 | 2014.03.26 |
| 申请人 | Symantec Corporation | 发明人 | Hart Michael;Kienzle Darrell;Ashley Peter |
| 分类号 | G06F21/55;H04L29/06;G06F21/70 | 主分类号 | G06F21/55 |
| 代理机构 | Womble Carlyle Sandridge & Rice LLP | 代理人 | Womble Carlyle Sandridge & Rice LLP |
| 主权项 | 1. A method to identify machines infected by malware, comprising: determining whether a universal resource locator (URL), in a network request from a computing device, is present in a first cache coupled to a processor of a server; determining whether a fully qualified domain name, extracted from the universal resource locator and distinct from the universal resource locator, is present in a second cache coupled to the processor of the server, in response to determining that the universal resource locator is not present in the first cache; evaluating a parent hostname, extracted from the universal resource locator and distinct from the universal resource locator, as to suspiciousness, in response to determining that the fully qualified domain name is not present in the second cache of the server, wherein evaluating the parent hostname includes determining whether the parent hostname has a length greater than a predetermined length; and indicating the computing device has a likelihood of infection, responsive to one of: the universal resource locator being present in the first cache of the server with a first indication of suspiciousness, the fully qualified domain name being present in the second cache of the server with a second indication of suspiciousness, or the evaluating the parent hostname having a third indication of suspiciousness, wherein at least one method operation is performed by the processor. | ||
| 地址 | Mountain View CA US | ||