Abstract: A system and a method are disclosed for describing a mechanism for tracking malicious activity detected on a network. For example, based on network data collected from a server, the disclosed system may detect malicious activity originating from a client device directed to the server. To detect the malicious activity, network data may be captured by the server and analyzed. When malicious activity is detected, the system may track the malicious activity, using the network data, to an earliest connection date of a client device from where the malicious activity potentially originated. The earliest connection date may indicate a potential start date of the malicious activity.
Type:
Grant
Filed:
January 5, 2022
Date of Patent:
November 22, 2022
Assignee:
Anomali Inc.
Inventors:
Wei Huang, Yizheng Zhou, Peizhou Guo, Mohsen Imani
Abstract: A system and a method are disclosed for describing a mechanism for tracking malicious activity detected on a network. For example, based on network data collected from a server, the disclosed system may detect malicious activity originating from a client device directed to the server. To detect the malicious activity, network data may be captured by the server and analyzed. When malicious activity is detected, the system may track the malicious activity, using the network data, to an earliest connection date of a client device from where the malicious activity potentially originated. The earliest connection date may indicate a potential start date of the malicious activity.
Type:
Grant
Filed:
April 2, 2020
Date of Patent:
February 8, 2022
Assignee:
Anomali Inc.
Inventors:
Wei Huang, Yizheng Zhou, Peizhou Guo, Mohsen Imani
Abstract: A method evaluates whether a web domain is malicious. The method forms a feature vector, including data from web crawling. The features may include: whether the domain is cached from web crawling; the number of unique publicly accessible URIs hosted on the domain; the number of backlinks referencing the domain; the number of unique domain names in referring backlinks; the number of unique IP addresses in the referring backlinks; the number of unique IP address groups in the referring backlinks; and the proportion of hyperlinks to the domain from popular websites. For multiple classifiers, the method computes a probability that the domain is malicious. Each classifier is a decision tree constructed according to a subset of features and a subset of sample feature vectors. The method combines the individual probabilities to form an overall probability and returns the computed overall probability to the client.