Abstract: A domain processing system is enhanced with a first-pass domain filter configured for loading character strings representing a pair of domains consisting of a seed domain and a candidate domain in a computer memory, computing a similarity score and a dynamic threshold for the pair of domains, determining whether the similarity score exceeds the dynamic threshold, and iterating the loading, the computing, and the determining for each of a plurality of candidate domains paired with the seed domain. A similarity score between the seed domain and the candidate domain and a corresponding dynamic threshold for the pair are computed. If the similarity score exceeds the corresponding dynamic threshold, the candidate domain is provided to a downstream computing facility. Otherwise, it is dropped. In this way, the first-pass domain filter can significantly reduce the number of domains that otherwise would need to be processed by the downstream computing facility.

Abstract: Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Abstract: To find enriching contextual information for an abbreviated domain name, a data enrichment engine can comb through web content source code corresponding to the abbreviated domain name. From textual content in the web content source code, the data enrichment engine can identify words with initial characters that match characters of the abbreviated domain name to thereby establish a relationship there-between. This relationship can facilitate more accurate and efficient domain name classification. The data enrichment engine can query a WHOIS server to find out if candidate domains having initial characters that match the characters of the abbreviated domain name are registered to the same entity. If so, keywords can be extracted from the candidate domains and used to find more relevant domains for domain risk analysis and detection. Candidate domains determined by the data enrichment engine can be provided to a downstream computing facility such as a domain filter.

Abstract: Disclosed is a domain engineering analysis solution that determines relevance of a domain name to a brand name in which a domain name, brand name, and identification of a substring of the domain name may be provided to or obtained by a computer embodying a domain engineering analyzer. A list of features may be determined. The list of features may include a lexicon, or a set of key-value pairs that encode information about terms included as substrings in the domain name. Determining the features may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, and determining and scoring a relevance of each term to the brand name. The determined relevance and score of each term may be provided to a client. This relevance analysis can be dynamically applied in an online process or proactively applied in an offline process.

Abstract: To find enriching contextual information for an abbreviated domain name, a data enrichment engine can comb through web content source code corresponding to the abbreviated domain name. From textual content in the web content source code, the data enrichment engine can identify words with initial characters that match characters of the abbreviated domain name to thereby establish a relationship there-between. This relationship can facilitate more accurate and efficient domain name classification. The data enrichment engine can query a WHOIS server to find out if candidate domains having initial characters that match the characters of the abbreviated domain name are registered to the same entity. If so, keywords can be extracted from the candidate domains and used to find more relevant domains for domain risk analysis and detection. Candidate domains determined by the data enrichment engine can be provided to a downstream computing facility such as a domain filter.

Abstract: Disclosed is a domain engineering analysis solution that determines relevance of a domain name to a brand name in which a domain name, brand name, and identification of a substring of the domain name may be provided to or obtained by a computer embodying a domain engineering analyzer. A list of features may be determined. The list of features may include a lexicon, or a set of key-value pairs that encode information about terms included as substrings in the domain name. Determining the features may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, and determining and scoring a relevance of each term to the brand name. The determined relevance and score of each term may be provided to a client. This relevance analysis can be dynamically applied in an online process or proactively applied in an offline process.

Abstract: A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

Abstract: A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

Abstract: A spammy app detection system may search a database for any new social media application discovered during a recent time period. A spammy app detection algorithm can be executed on the spammy app detection system on an hourly basis to determine whether any of such applications is spammy (i.e., posting to a social media page anomalously). The spammy app detection algorithm has a plurality of stages. When a new social media application fails any of the stages, it is identified as a spammy app. The spammy app detection system can update the database accordingly, ban the spammy application from further posting to a social media page monitored by the spammy app detection system, notify an entity associated with the social media page, further process the spammy application, and so on. In this way, the spammy app detection system can reduce digital risk and spam attacks.

Abstract: An intelligent clustering system has a dual-mode clustering engine for mass-processing and stream-processing. A tree data model is utilized to describe heterogenous data elements in an accurate and uniform way and to calculate a tree distance between each data element and a cluster representative. The clustering engine performs element clustering, through sequential or parallel stages, to cluster the data elements based at least in part on calculated tree distances and parameter values reflecting user-provided domain knowledge on a given objective. The initial clusters thus generated are fine-tuned by undergoing an iterative self-tuning process, which continues when new data is streamed from data source(s). The clustering engine incorporates stage-specific domain knowledge through stage-specific configurations. This hybrid approach combines strengths of user domain knowledge and machine learning power.

Abstract: A rules engine is adapted for analyzing each match produced by a domain discovery system as matching a seed domain. Utilizing a natural language processing (NLP) library, the rules engine determines segments from the match, assigns a lexical category to each segment based on the context in how a seed domain string is used, and compares the lexical category of the segment that is closest to the seed domain string with a lexical category of the seed domain string. Based on the comparing, the rules engine determines whether the match is relevant to the seed domain and, if not, the match produced by the domain discovery system is identified as a false positive and automatically removed from a set of matches produced by the domain discovery system for the seed domain.

Abstract: Disclosed is an effective domain name defense solution in which a domain name string may be provided to or obtained by a computer embodying a visual domain analyzer. The domain name string may be rendered or otherwise converted to an image. An optical character recognition function may be applied to the image to read out a text string which can then be compared with a protected domain name to determine whether the text string generated by the optical character recognition function from the image converted from the domain name string is similar to or matches the protected domain name. This visual domain analysis can be dynamically applied in an online process or proactively applied in an offline process to hundreds of millions of domain names.

Abstract: Disclosed is a domain filter capable of determining an n-gram distance between a seed domain and each of a plurality of candidate domains. The domain filter loads a seed domain n-gram for the seed domain and a candidate domain n-gram for each candidate domain in memory, compares the seed domain n-gram and the candidate domain n-gram to identify any identical grams, removes any identical grams from the seed domain n-gram, and determines how many grams are left in the seed domain n-gram, representing the n-gram distance between the seed domain and the candidate domain. The domain filter then compares n-gram distances thus determined with a predetermined threshold, eliminates any candidate domain having an n-gram distance from the seed domain that exceeds the predetermined threshold, and provides remaining candidate domains to a downstream computing facility such as a user interface or an analytical module operating in an enterprise computing environment.

Abstract: An intelligent clustering system has a dual-mode clustering engine for mass-processing and stream-processing. A tree data model is utilized to describe heterogenous data elements in an accurate and uniform way and to calculate a tree distance between each data element and a cluster representative. The clustering engine performs element clustering, through sequential or parallel stages, to cluster the data elements based at least in part on calculated tree distances and parameter values reflecting user-provided domain knowledge on a given objective. The initial clusters thus generated are fine-tuned by undergoing an iterative self-tuning process, which continues when new data is streamed from data source(s). The clustering engine incorporates stage-specific domain knowledge through stage-specific configurations. This hybrid approach combines strengths of user domain knowledge and machine learning power.

Abstract: A spammy app detection system may search a database for any new social media application discovered during a recent time period. A spammy app detection algorithm can be executed on the spammy app detection system on an hourly basis to determine whether any of such applications is spammy (i.e., posting to a social media page anomalously). The spammy app detection algorithm has a plurality of stages. When a new social media application fails any of the stages, it is identified as a spammy app. The spammy app detection system can update the database accordingly, ban the spammy application from further posting to a social media page monitored by the spammy app detection system, notify an entity associated with the social media page, further process the spammy application, and so on. In this way, the spammy app detection system can reduce digital risk and spam attacks.

Abstract: Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Abstract: Disclosed is an effective domain name defense solution in which a domain name string may be provided to or obtained by a computer embodying a visual domain analyzer. The domain name string may be rendered or otherwise converted to an image. An optical character recognition function may be applied to the image to read out a text string which can then be compared with a protected domain name to determine whether the text string generated by the optical character recognition function from the image converted from the domain name string is similar to or matches the protected domain name. This visual domain analysis can be dynamically applied in an online process or proactively applied in an offline process to hundreds of millions of domain names.

Abstract: Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Abstract: Aspects of the disclosure relate to detecting random and/or algorithmically-generated character sequences in domain names. A computing platform may train a machine learning model based on a set of semantically-meaningful words. Subsequently, the computing platform may receive a seed string and a set of domains to be analyzed in connection with the seed string. Based on the machine learning model, the computing platform may apply a classification algorithm to the seed string and the set of domains, where applying the classification algorithm to the seed string and the set of domains produces a classification result. Thereafter, the computing platform may store the classification result.

Abstract: Disclosed is a domain filter capable of determining an n-gram distance between a seed domain and each of a plurality of candidate domains. The domain filter loads a seed domain n-gram for the seed domain and a candidate domain n-gram for each candidate domain in memory, compares the seed domain n-gram and the candidate domain n-gram to identify any identical grams, removes any identical grams from the seed domain n-gram, and determines how many grams are left in the seed domain n-gram, representing the n-gram distance between the seed domain and the candidate domain. The domain filter then compares n-gram distances thus determined with a predetermined threshold, eliminates any candidate domain having an n-gram distance from the seed domain that exceeds the predetermined threshold, and provides remaining candidate domains to a downstream computing facility such as a user interface or an analytical module operating in an enterprise computing environment.