| 发明名称 | Malicious software detection in a computing system | ||
| 摘要 | A computer system identifies malicious Uniform Resource Locator (URL) data items from a plurality of unscreened data items that have not been previously identified as associated with malicious URLs. The system can execute a number of pre-filters to identify a subset of URLs in the plurality of data items that are likely to be malicious. A scoring processor can score the subset of URLs based on a plurality of input vectors using a suitable machine learning model. Optionally, the system can execute one or more post-filters on the score data to identify data items of interest. Such data items can be fed back into the system to improve machine learning or can be used to provide a notification that a particular resource within a local network is infected with malicious software. | ||
| 申请公布号 | US9043894(B1) | 申请公布日期 | 2015.05.26 |
| 申请号 | US201514616080 | 申请日期 | 2015.02.06 |
| 申请人 | Palantir Technologies Inc. | 发明人 | Dennison Drew;Stowe Geoff;Anderson Adam |
| 分类号 | H04L29/06 | 主分类号 | H04L29/06 |
| 代理机构 | Knobbe, Martens, Olson & Bear, LLP | 代理人 | Knobbe, Martens, Olson & Bear, LLP |
| 主权项 | 1. A computer system to identify malicious Uniform Resource Locator (URL) data items from a plurality of unscreened data items that have not been previously identified as associated with malicious URLs, the system comprising: one or more computer readable storage devices configured to store one or more software modules including computer executable instructions; andthe plurality of unscreened data items associated with communications between computerized devices within a local network and external resources, the unscreened data items comprising a plurality of device identifiers for the computerized devices and a plurality of URLs referencing the external resources; a network connection configured to access, from a remote network not within the local network, a list of domain names satisfying a ranking condition based on Internet traffic data; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the one or more software modules in order to cause the computer system to: access, from the one or more computer readable storage devices, the plurality of unscreened data items;identify, from the plurality of unscreened data items, a plurality of connection records, each of the connection records indicating a communication from a computerized device to an external resource at a specific time, such that each of the connection records is associated with a device identifier and a URL,identify, from the plurality of connection records, one or more connection records having a common device identifier, the identified one or more connection records associated with one or more URLs;parse the one or more URLs for one or more domain names, each of the one or more URLs associated with a domain name;based on a determination that none of the one or more domain names satisfies a threshold position in the list of domain names, designate the one or more URLs as possible malicious URL data items;assign a score based on a plurality of factors relating to the possible malicious URL data items, the factors comprising the determination that none of the one or more domain names satisfies the threshold position in the list of domain names. | ||
| 地址 | Palo Alto CA US | ||