| 发明名称 | Identifying malicious web infrastructures | ||
| 摘要 | Identifying malicious servers is provided. Malicious edges between server vertices corresponding to visible servers and invisible servers involved in network traffic redirection chains are determined based on determined graph-based features within a bipartite graph corresponding to invisible server vertices involved in the network traffic redirection chains and determined distance-based features corresponding to the invisible server vertices involved in the network traffic redirection chains. Malicious server vertices are identified in the bipartite graph based on the determined malicious edges between the server vertices corresponding to the visible servers and invisible servers involved in the network traffic redirection chains. Access by client devices is blocked to malicious servers corresponding to the identified malicious server vertices in the bipartite graph. | ||
| 申请公布号 | US9571518(B2) | 申请公布日期 | 2017.02.14 |
| 申请号 | US201514640658 | 申请日期 | 2015.03.06 |
| 申请人 | International Business Machines Corporation | 发明人 | Hu Xin;Jang Jiyong;Wang Ting;Zhang Jialong |
| 分类号 | G06F21/55;H04L29/06;G06F15/16 | 主分类号 | G06F21/55 |
| 代理机构 | Yee & Associates, P.C. | 代理人 | Yee & Associates, P.C. ;LaBaw Jeffrey S. |
| 主权项 | 1. A computer system for identifying malicious servers, the computer system comprising: a bus system; a storage device connected to the bus system, wherein the storage device stores program instructions; and a processor connected to the bus system, wherein the processor executes the program instructions to: search a set of server domain name white lists to determine whether a server in a plurality of identified servers within a network is listed in the set of server domain name white lists;query a set of search engines to determine whether the server in the plurality of identified servers within the network is listed in a server domain name search result;identify the server as an invisible server and add the server to an invisible server list in response to determining that the server in the plurality of identified servers within the network is not listed in the set of server domain name white lists and not listed in the server domain name search result;identify the server in the plurality of identified servers as a visible server and add the server to a visible server list in response to determining that the server in the plurality of identified servers within the network is listed in at least one of the set of server domain name white lists and the server domain name search result;place each server in the plurality of identified servers within the network in a bipartite graph based on locating each server in one of the visible server list or the invisible server list;determine malicious edges between server vertices corresponding to visible servers and invisible servers involved in network traffic redirection chains based on determined graph-based features within a bipartite graph corresponding to visible and invisible server vertices involved in the network traffic redirection chains and determined distance-based features corresponding to the invisible server vertices involved in the network traffic redirection chains;identify malicious server vertices in the bipartite graph based on the determined malicious edges between the server vertices corresponding to the visible servers and invisible servers involved in the network traffic redirection chains; andblock access by client devices to malicious servers corresponding to the identified malicious server vertices in the bipartite graph. | ||
| 地址 | Armonk NY US | ||