发明名称 |
Detecting web exploit kits by tree-based structural similarity search |
摘要 |
A method of detecting exploit kits includes receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic. The HTTP traffic is clustered into a web session tree according to a client IP (Internet Protocol. A client tree structure of the web session tree is generated. The client tree structure is compared with tree structures of exploit kit samples. |
申请公布号 |
US9516051(B1) |
申请公布日期 |
2016.12.06 |
申请号 |
US201514750290 |
申请日期 |
2015.06.25 |
申请人 |
International Business Machines Corporation |
发明人 |
Hu Xin;Jang Jiyong;Monrose Fabian;Stoecklin Marc Philippe;Taylor Teryl;Wang Ting |
分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
代理机构 |
McGinn IP Law Group, PLLC |
代理人 |
LaBaw, Esq. Jeff;McGinn IP Law Group, PLLC |
主权项 |
1. A method comprising:
receiving, at an input port of the computer, indication of HTTP (Hypertext Transfer Protocol) traffic; clustering, using the processor on the computer, the HTTP traffic according to a client IP (Internet Protocol) into a web session tree; generating a client tree structure of the web session tree; and comparing the client tree structure with each tree structure of a plurality of exploit kit samples; wherein the plurality of exploit kit samples are stored in an index for the comparing with the client tree structure, the method comprising:
classifying each of the plurality of exploit kit samples into a type of exploit kit;for each type, calculating a plurality of similarity values between each of the exploit kit samples classified in the type;and using a lowest similarity value of the plurality of similarity values, as a comparison threshold value for a node level similarity comparison between the client tree structure and the plurality of classified exploit kit samples of the corresponding type. |
地址 |
Armonk NY US |