Abstract: A method for classifying domains to malware families includes identifying a corpus of malicious domains, identifying one or more suspicious domains, extracting a timeframe corresponding to the one or more suspicious domains, calculating a rank coefficient between the one or more suspicious domains and a current seed domain of the corpus of malicious domains, determining whether the rank correlation coefficient exceeds a rank threshold for the one or more suspicious domains, comparing a number of suspicious domains whose correlation coefficients exceed the rank threshold to a relation threshold, and responsive to determining the number of suspicious domains whose correlation coefficients exceed the rank threshold exceeds the relation threshold, applying a tag to the suspicious domains indicating that the one or more suspicious domains correspond to a same malware family as the current seed domain.

Abstract: A method for classifying domains to malware families includes identifying a corpus of malicious domains, identifying one or more suspicious domains, extracting a timeframe corresponding to the one or more suspicious domains, calculating a rank coefficient between the one or more suspicious domains and a current seed domain of the corpus of malicious domains, determining whether the rank correlation coefficient exceeds a rank threshold for the one or more suspicious domains, comparing a number of suspicious domains whose correlation coefficients exceed the rank threshold to a relation threshold, and responsive to determining the number of suspicious domains whose correlation coefficients exceed the rank threshold exceeds the relation threshold, applying a tag to the suspicious domains indicating that the one or more suspicious domains correspond to a same malware family as the current seed domain.

Abstract: A method for producing a list of network domains comprising: producing a graph comprising a plurality of nodes, each associated with one of a plurality of domain names extracted from data captured from a digital communication network, and a plurality of edges, each associated with one or more syntactic correlations, identified in the data, between two of the plurality of domain names, where the one or more syntactic correlations indicate a possible network structure relationship between the two of the plurality of domain names; producing a list of associated domain names according to a plurality of statistical values each assigned to one of the plurality of edges or one of the plurality of nodes according to an amount of respective one or more syntactic correlations; and providing the list of associated domain names to at least one software object to perform a domain-oriented task.

Abstract: A method for producing a list of network domains comprising: producing a graph comprising a plurality of nodes, each associated with one of a plurality of domain names extracted from data captured from a digital communication network, and a plurality of edges, each associated with one or more syntactic correlations, identified in the data, between two of the plurality of domain names, where the one or more syntactic correlations indicate a possible network structure relationship between the two of the plurality of domain names; producing a list of associated domain names according to a plurality of statistical values each assigned to one of the plurality of edges or one of the plurality of nodes according to an amount of respective one or more syntactic correlations; and providing the list of associated domain names to at least one software object to perform a domain-oriented task.

Abstract: Aspects of the present invention disclose a method, computer program product, and system for updating a whitelist. The method includes one or more processors identifying candidates for a whitelist based on correlations between candidates and web domains in the whitelist. The method further includes one or more processors extracting textual information and image information from the whitelist candidates. The method further includes one or more processors classifying the candidates for the whitelist into groups of candidates based on a comparison of the extracted information from the whitelist candidates and information associated with the web domains existing in the whitelist. The method further includes one or more processors determining candidates to add to the whitelist based upon a similarity measure ranking between the web domains existing in the whitelist and the candidates for a whitelist. The method further includes one or more processors updating the whitelist to include the determined candidates.

Abstract: A method, computer system, and a computer program product for identifying a phishing attack is provided. The present invention may include receiving an alert of a suspicious URL. The present invention may include making an HTTP request to the suspicious URL. The present invention may include downloading and rendering the suspicious URL content. The present invention may include producing a screenshot of the rendered suspicious URL content. The present invention may include making an HTTP request to a domain landing page. The present invention may include downloading and rendering the domain landing page URL content. The present invention may include producing a screenshot of the rendered domain landing page URL content. The present invention may include generating a score based on comparing the produced first screenshot and the produced second screenshot.

Abstract: A method, computer system, and a computer program product for identifying a phishing attack is provided. The present invention may include receiving an alert of a suspicious URL. The present invention may include making an HTTP request to the suspicious URL. The present invention may include downloading and rendering the suspicious URL content. The present invention may include producing a screenshot of the rendered suspicious URL content. The present invention may include making an HTTP request to a domain landing page. The present invention may include downloading and rendering the domain landing page URL content. The present invention may include producing a screenshot of the rendered domain landing page URL content. The present invention may include generating a score based on comparing the produced first screenshot and the produced second screenshot.

Abstract: Aspects of the present invention disclose a method, computer program product, and system for updating a whitelist. The method includes one or more processors identifying candidates for a whitelist based on correlations between candidates and web domains in the whitelist. The method further includes one or more processors extracting textual information and image information from the whitelist candidates. The method further includes one or more processors classifying the candidates for the whitelist into groups of candidates based on a comparison of the extracted information from the whitelist candidates and information associated with the web domains existing in the whitelist. The method further includes one or more processors determining candidates to add to the whitelist based upon a similarity measure ranking between the web domains existing in the whitelist and the candidates for a whitelist. The method further includes one or more processors updating the whitelist to include the determined candidates.

Abstract: A method and system for calculating and ascribing reputation scores to Domain Name System (DNS) domain names, the method including capturing domain names appearing in a network during a predefined time frame and extracting features of each of the captured domain names, and calculating a reputation score for each of the captured domain names by assessing an expected life duration of each of the captured domain names based on the domain name features.