| 发明名称 | Detecting web exploit kits by tree-based structural similarity search | ||
| 摘要 | A method of detecting exploit kits includes receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic. The HTTP traffic is clustered into a web session tree according to a client IP (Internet Protocol. A client tree structure of the web session tree is generated. The client tree structure is compared with tree structures of exploit kit samples. | ||
| 申请公布号 | US9516051(B1) | 申请公布日期 | 2016.12.06 |
| 申请号 | US201514750290 | 申请日期 | 2015.06.25 |
| 申请人 | International Business Machines Corporation | 发明人 | Hu Xin;Jang Jiyong;Monrose Fabian;Stoecklin Marc Philippe;Taylor Teryl;Wang Ting |
| 分类号 | H04L29/06 | 主分类号 | H04L29/06 |
| 代理机构 | McGinn IP Law Group, PLLC | 代理人 | LaBaw, Esq. Jeff;McGinn IP Law Group, PLLC |
| 主权项 | 1. A method comprising: receiving, at an input port of the computer, indication of HTTP (Hypertext Transfer Protocol) traffic; clustering, using the processor on the computer, the HTTP traffic according to a client IP (Internet Protocol) into a web session tree; generating a client tree structure of the web session tree; and comparing the client tree structure with each tree structure of a plurality of exploit kit samples; wherein the plurality of exploit kit samples are stored in an index for the comparing with the client tree structure, the method comprising: classifying each of the plurality of exploit kit samples into a type of exploit kit;for each type, calculating a plurality of similarity values between each of the exploit kit samples classified in the type;and using a lowest similarity value of the plurality of similarity values, as a comparison threshold value for a node level similarity comparison between the client tree structure and the plurality of classified exploit kit samples of the corresponding type. | ||
| 地址 | Armonk NY US | ||