Automatic detection of search results poisoning attacks

摘要

Search result poisoning attacks may be automatically detected by identifying groups of suspicious uniform resource locators (URLs) containing multiple keywords and exhibiting patterns that deviate from other URLs in the same domain without crawling and evaluating the actual contents of each web page. Suspicious websites are identified and lexical features are extracted for each such website. The websites are clustered based on their lexical features, and group analysis is performed on each group to identify at least one suspicious group. Other implementations are directed to detecting a search engine optimization (SEO) attack by processing a large population of URLs to identify suspicious URLs based on the presence of a subset of keywords in each URL and the relative newness of each URL.

主权项

1. A method comprising:
identifying a plurality of suspicious websites from among a plurality of websites; extracting a set of lexical features for each website among from the plurality of suspicious websites; clustering each website from among the plurality of suspicious websites into a plurality of groups based on the set of lexical features extracted for each website; performing group analysis on each group from among the plurality of groups to identify at least one suspicious group that provides confirmation of at least one search engine optimization (SEO) attack; and using the identified at least one suspicious group to identify a corresponding group of compromised servers targeted by the SEO attack, wherein the corresponding group of compromised servers comprises a subset of servers that exhibit a change in behavior, indicative of the SEO attack.