SPAMMY APP DETECTION SYSTEMS AND METHODS

A spammy app detection system may search a database for any new social media application discovered during a recent time period. A spammy app detection algorithm can be executed on the spammy app detection system on an hourly basis to determine whether any of such applications is spammy (i.e., posting to a social media page anomalously). The spammy app detection algorithm has a plurality of stages. When a new social media application fails any of the stages, it is identified as a spammy app. The spammy app detection system can update the database accordingly, ban the spammy application from further posting to a social media page monitored by the spammy app detection system, notify an entity associated with the social media page, further process the spammy application, and so on. In this way, the spammy app detection system can reduce digital risk and spam attacks. 1. A method , comprising:sending, by a spammy app detection system executing on a processor, a request to a network server for updates on a page monitored by the spammy app detection system;receiving, by the spammy app detection system from the network server, the updates on the page monitored by the spammy app detection system;analyzing, by the spammy app detection system, the updates on the page monitored by the spammy app detection system;determining, by the spammy app detection system based at least on the analyzing, that a new app is interacting with the page monitored by the spammy app detection system; determining whether the new app is a known fraudulent application;', 'determining whether a poster of the new app is a known spammy user;', 'determining whether the new app is similar to a known fraudulent application, the determining including comparing the new app with the known fraudulent application; and', 'determining whether the new app is posting anomalously to the page through a plurality of user accounts;, 'processing, by the spammy app detection system, the new app through a plurality of ...

Domain name classification systems and methods

Disclosed is a domain engineering analysis solution that determines relevance of a domain name to a brand name in which a domain name, brand name, and identification of a substring of the domain name may be provided to or obtained by a computer embodying a domain engineering analyzer. A list of features may be determined. The list of features may include a lexicon, or a set of key-value pairs that encode information about terms included as substrings in the domain name. Determining the features may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, and determining and scoring a relevance of each term to the brand name. The determined relevance and score of each term may be provided to a client. This relevance analysis can be dynamically applied in an online process or proactively applied in an offline process.

SYSTEM AND METHOD FOR ANALYZING WEB CONTENT

A system and computer based method are provided for identifying active content in websites on a network. One embodiment includes a computer based method of classifying web content. The method receives content of a web page, and determines a first property associated with the content, the first property including static content. The method executes active content associated with the webpage, and determines a second property associated with the content based at least in part on the executing, the second property including the active content. The method also evaluates a logical expression relating the first property and the second property, and associates the web page with a category based on a result of the evaluation. The evaluation of the logical expression at least in part evaluates whether a constant value matches at least a portion of the content of the web page. 1. A method of classifying web content , implemented on one or more computer processors , the method comprising:using at least one of the processors, receiving content of a web page;using at least one of the processors, determining a first property associated with the content of the web page, the first property comprising static content associated with the web page;using at least one of the processors, executing active content associated with the webpage;using at least one of the processors, determining a second property associated with the content of the web page based at least in part on the executing, the second property comprising the active content;using at least one of the processors, evaluating a logical expression relating the first property and the second property; andusing at least one of the processors, associating the web page with a category based on a result of the evaluation,wherein the evaluation of the logical expression at least in part evaluates whether a constant value matches at least a portion of the content of the web page.2. The method of claim 1 , wherein executing the active ...

DOMAIN NAME PROCESSING SYSTEMS AND METHODS

A domain processing system is enhanced with a first-pass domain filter configured for loading character strings representing a pair of domains consisting of a seed domain and a candidate domain in a computer memory, computing a similarity score and a dynamic threshold for the pair of domains, determining whether the similarity score exceeds the dynamic threshold, and iterating the loading, the computing, and the determining for each of a plurality of candidate domains paired with the seed domain. A similarity score between the seed domain and the candidate domain and a corresponding dynamic threshold for the pair are computed. If the similarity score exceeds the corresponding dynamic threshold, the candidate domain is provided to a downstream computing facility. Otherwise, it is dropped. In this way, the first-pass domain filter can significantly reduce the number of domains that otherwise would need to be processed by the downstream computing facility. 1. A method for domain processing , comprising:loading, in a computer memory of a computing device by a first-pass domain filter running on the computing device, character strings representing a pair of domains, the pair of domains consisting of a seed domain and a candidate domain;computing, by the first-pass domain filter, a similarity score and a dynamic threshold for the pair of domains in the computer memory;determining, by the first-pass domain filter, whether the similarity score exceeds the dynamic threshold;iterating, by the first-pass domain filter, the loading, the computing, and the determining for each of a plurality of candidate domains paired with the seed domain; andproviding, by the first-pass domain filter to a downstream computing facility, candidate domains of the plurality of candidate domains in which a similarity score between the seed domain and a respective candidate domain of the candidate domains exceeds a corresponding dynamic threshold.2. The method according to claim 1 , further ...

Natural language processing systems and methods for automatic reduction of false positives in domain discovery

A rules engine is adapted for analyzing each match produced by a domain discovery system as matching a seed domain. Utilizing a natural language processing (NLP) library, the rules engine determines segments from the match, assigns a lexical category to each segment based on the context in how a seed domain string is used, and compares the lexical category of the segment that is closest to the seed domain string with a lexical category of the seed domain string. Based on the comparing, the rules engine determines whether the match is relevant to the seed domain and, if not, the match produced by the domain discovery system is identified as a false positive and automatically removed from a set of matches produced by the domain discovery system for the seed domain.

DOMAIN NAME PROCESSING SYSTEMS AND METHODS

Disclosed is a domain filter capable of determining an n-gram distance between a seed domain and each of a plurality of candidate domains. The domain filter loads a seed domain n-gram for the seed domain and a candidate domain n-gram for each candidate domain in memory, compares the seed domain n-gram and the candidate domain n-gram to identify any identical grams, removes any identical grams from the seed domain n-gram, and determines how many grams are left in the seed domain n-gram, representing the n-gram distance between the seed domain and the candidate domain. The domain filter then compares n-gram distances thus determined with a predetermined threshold, eliminates any candidate domain having an n-gram distance from the seed domain that exceeds the predetermined threshold, and provides remaining candidate domains to a downstream computing facility such as a user interface or an analytical module operating in an enterprise computing environment. 1. A method , comprising:parsing, by a computer, a string corresponding to a domain of interest into n-grams; storing an n-gram for the domain of interest in a memory of the computer;', comparing the n-gram for the domain of interest with n-grams of the respective candidate domain;', 'determining whether the n-gram for the domain of interest is found in the n-grams of the respective candidate domain; and', 'responsive to finding the n-gram for the domain of interest in the n-grams of the respective candidate domain, eliminating the n-gram for the domain of interest from the n-grams parsed from the string corresponding to the domain of interest;, 'for each respective candidate domain of a plurality of candidate domains], 'for each of the n-grams parsed from the string corresponding to the domain of interest, performing, by the computerdetermining, by the computer, an n-gram distance between the domain of interest and each respective candidate domain of the plurality of candidate domains based on a number of n-grams ...

DYNAMICALLY ADAPTIVE FRAMEWORK AND METHOD FOR CLASSIFYING MALWARE USING INTELLIGENT STATIC, EMULATION, AND DYNAMIC ANALYSES

Techniques for malware detection are described herein. According to one aspect, control logic determines an analysis plan for analyzing whether a specimen should be classified as malware, where the analysis plan identifies at least first and second analyses to be performed. Each of the first and second analyses identified in the analysis plan including one or both of a static analysis and a dynamic analysis. The first analysis is performed based on the analysis plan to identify suspicious indicators characteristics related to processing of the specimen. The second analysis is performed based on the analysis plan to identify unexpected behaviors having processing or communications anomalies. A classifier determines whether the specimen should be classified as malicious based on the static and dynamic analyses. The analysis plan, the indicators, the characteristics, and the anomalies are stored in a persistent memory. 1. A computer implemented method of detecting malware in a specimen of computer content or network traffic , the method comprising:responsive to receiving a specimen, determining, by a controller, an analysis plan for analyzing whether the received specimen should be classified as malware, the analysis plan identifying at least a first analysis and a second analysis to be performed with respect to the specimen, each of the first analysis and the second analysis identified in the analysis plan including at least one of a static analysis and a dynamic analysis;performing the first analysis in accordance with the analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen;performing the second analysis in accordance with the analysis plan, including processing of the specimen in a virtual environment including with one or more monitors to identify one or more unexpected behaviors each having one or more processing or communications anomalies;determining by a ...

FUZZY HASH OF BEHAVIORAL RESULTS

A computerized method is described in which a received object is analyzed by a malicious content detection (MCD) system to determine whether the object is malware or non-malware. The analysis may include the generation of a fuzzy hash based on a collection of behaviors for the received object. The fuzzy hash may be used by the MCD system to determine the similarity of the received object with one or more objects in previously classified/analyzed clusters. Upon detection of a “similar” object, the suspect object may be associated with the cluster and classified based on information attached to the cluster. This similarity matching provides 1) greater flexibility in analyzing potential malware objects, which may share multiple characteristics and behaviors but are also slightly different from previously classified objects and 2) a more efficient technique for classifying/assigning attributes to objects. 1. A computerized method for classifying objects in a malware system , comprising:receiving, by a malicious content detection (MCD) system, an object to be classified;detecting behaviors of the received object, wherein the behaviors are detected after processing the received object;generating a fuzzy hash for the received object based on the detected behaviors;comparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure;associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; andreporting, via a communications interface, results of the association to a client device.2. The computerized method of claim 1 , further comprising:creating a new cluster for the received object in response to determining that the similarity measure is below the predefined threshold value.3. The computerized method of claim 1 , wherein the received object is at least one of a file claim 1 , a uniform resource locator claim ...

Threat actor identification systems and methods

A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

SYSTEM AND METHOD FOR ANALYZING WEB CONTENT

A system and computer based method are provided for identifying active content in websites on a network. In one aspects, a method for classifying web content includes determining a first property associated with static content of a web page, determining a second property associated with the content of the web page based at least in part on active content associated with the web page, evaluating a logical expression relating the first property and the second property, at least in part by evaluating whether a constant value matches at least a portion of the content of the web page, associating the web page with a category based on a result of the evaluation, and determining whether to allow network access to the web page based on the category. 1. A method of classifying web content , implemented on one or more computer processors , the method comprising:using at least one of the processors, determining a first property associated with content of a web page, the first property comprising static content associated with the web page;using at least one of the processors, determining a second property associated with the content of the web page based at least in part on active content associated with the web page;using at least one of the processors, evaluating a logical expression relating the first property and the second property, at least in part by evaluating whether a constant value matches at least a portion of the content of the web page;using at least one of the processors, associating the web page with a category based on a result of the evaluation; anddetermining whether to allow network access to the web page based on the category.2. The method of claim 1 , further comprising executing the active content in a sandbox environment to determine the second property.3. The method of claim 1 , wherein determining the first property associated with content of the web page comprises identifying a keyword in the content of the web page.4. The method of claim 1 , wherein ...

Domain name processing systems and methods

Disclosed is a domain filter capable of determining an n-gram distance between a seed domain and each of a plurality of candidate domains. The domain filter loads a seed domain n-gram for the seed domain and a candidate domain n-gram for each candidate domain in memory, compares the seed domain n-gram and the candidate domain n-gram to identify any identical grams, removes any identical grams from the seed domain n-gram, and determines how many grams are left in the seed domain n-gram, representing the n-gram distance between the seed domain and the candidate domain. The domain filter then compares n-gram distances thus determined with a predetermined threshold, eliminates any candidate domain having an n-gram distance from the seed domain that exceeds the predetermined threshold, and provides remaining candidate domains to a downstream computing facility such as a user interface or an analytical module operating in an enterprise computing environment.

SYSTEMS AND METHODS FOR DISCOVERY OF BRAND-REGISTERED DOMAIN NAMES

Taking a zero-configuration approach, a domain name discovery system utilizes, in an iterative process, WHOIS data and infrastructure data for a seed domain to automatically discover domain names having registration and/or infrastructure details that match those of the seed domain. Registration information such as a registered email address associated with a domain name discovered through WHOIS data matching or infrastructure data matching is utilized in a reverse lookup for domain names having infrastructure or WHOIS registered information that fully matches the information associated with the domain name discovered through the iterative process. Domain names discovered through WHOIS data matching, infrastructure data matching, and reverse lookup can be presented through a user interface on a client device communicatively connected to the domain name discovery system over a network. The domain name discovery can be performed periodically or in near real time responsive to receiving a new seed domain. 1. A method for domain name discovery , comprising:obtaining WHOIS data and infrastructure data for a seed domain, the obtaining performed by a domain name discovery server computer, the WHOIS data containing domain name registration information for the seed domain;determining, by the domain name discovery server computer, whether the domain name registration information for the seed domain is private;responsive to the domain name registration information for the seed domain being private, performing an infrastructure data matching procedure utilizing the infrastructure data for the seed domain, the infrastructure data matching procedure performed by the domain name discovery server computer;responsive to the domain name registration information for the seed domain not being private, performing a WHOIS data matching procedure utilizing the WHOIS data for the seed domain, the WHOIS data matching procedure performed by the domain name discovery server computer; ...

Threat actor identification systems and methods

A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

FUZZY HASH OF BEHAVIORAL RESULTS

A computerized method for classifying objects in a malware system is described. The method includes detecting behaviors of an object for classification after processing of the object has begun. Data associated with the detected behaviors is collected, and a fuzzy hash for the received object is generated. The generation of the fuzzy hash may include (i) removing a portion of the data associated with the detected behaviors, and (ii) performing a hash operation on a remaining portion of the data associated with the detected behaviors. Thereafter, the fuzzy hash for the received object is compared to a fuzzy hash of an object in a preexisting cluster to generate a similarity measure. The received object is associated with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value. Thereafter, the results are reported. 1. A computerized method for classifying objects in a malware system , comprising:detecting behaviors of an object for classification after processing of the received object has started;collecting data associated with the detected behaviors; (i) removing a portion of the data associated with the detected behaviors to produce a remaining portion of the data associated with the detected behaviors, and', '(ii) performing a hash operation on the remaining portion of the data associated with the detected behaviors;, 'generating a fuzzy hash for the received object based on the data associated with the detected behaviors, the generating of the fuzzy hash includescomparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure;associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; andreporting, via a communications interface, whether the received object is associated with the preexisting cluster.2. The computerized method of claim 1 , ...

VISUAL DOMAIN DETECTION SYSTEMS AND METHODS

Disclosed is an effective domain name defense solution in which a domain name string may be provided to or obtained by a computer embodying a visual domain analyzer. The domain name string may be rendered or otherwise converted to an image. An optical character recognition function may be applied to the image to read out a text string which can then be compared with a protected domain name to determine whether the text string generated by the optical character recognition function from the image converted from the domain name string is similar to or matches the protected domain name. This visual domain analysis can be dynamically applied in an online process or proactively applied in an offline process to hundreds of millions of domain names. 1. A method , comprising:obtaining, by a computer, a domain name from a data source;converting, by the computer, the domain name into an image;converting, by the computer, the image into a first text string corresponding to the domain name obtained from the data source;determining, by the computer utilizing a string distance function, a distance between the first text string corresponding to the domain name obtained from the data source and a second text string corresponding to a domain name of interest;determining, by the computer based at least on the distance, whether the first text string corresponding to the domain name obtained from the data source is visually similar to or matches the second text string corresponding to the domain name of interest; andresponsive to the first text string corresponding to the domain name obtained from the data source being determined as visually similar to or matches the second text string corresponding to the domain name of interest, identifying the domain name obtained from the data source as a candidate domain.2. The method according to claim 1 , wherein whether the first text string corresponding to the domain name obtained from the data source is visually similar to or matches the ...

DOMAIN NAME CLASSIFICATION SYSTEMS AND METHODS

Disclosed is a domain engineering analysis solution that determines relevance of a domain name to a brand name in which a domain name, brand name, and identification of a substring of the domain name may be provided to or obtained by a computer embodying a domain engineering analyzer. A list of features may be determined. The list of features may include a lexicon, or a set of key-value pairs that encode information about terms included as substrings in the domain name. Determining the features may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, and determining and scoring a relevance of each term to the brand name. The determined relevance and score of each term may be provided to a client. This relevance analysis can be dynamically applied in an online process or proactively applied in an offline process. 1. A computer-implemented method for domain name classification , the method comprising:obtaining, by a pre-processing engine executing on a processor, input domain names from multiple data sources, the input domain names associated with a brand or entity;extracting, by the pre-processing engine utilizing a lexicon for the brand or entity, a set of words of interest to the brand or entity from the input domain names;determining, by the pre-processing engine, a word vector for each respective word of the set of words extracted from the input domain names;analyzing, by the pre-processing engine, the word vector for each respective word of the set of words extracted from the input domain names;determining, by the pre-processing engine based on the analyzing, a list of true positives;determining, by the pre-processing engine from the input domain names, a list of domain names containing a substring that is an exact match of the brand or entity;determining, by an analyzer executing on a processor utilizing the list of true positives and the list of domain names, candidate words included ...

Identifying Legitimate Websites to Remove False Positives from Domain Discovery Analysis

Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

DOMAIN NAME PROCESSING SYSTEMS AND METHODS

Disclosed is a domain filter capable of determining an n-gram distance between a seed domain and each of a plurality of candidate domains. The domain filter loads a seed domain n-gram for the seed domain and a candidate domain n-gram for each candidate domain in memory, compares the seed domain n-gram and the candidate domain n-gram to identify any identical grams, removes any identical grams from the seed domain n-gram, and determines how many grams are left in the seed domain n-gram, representing the n-gram distance between the seed domain and the candidate domain. The domain filter then compares n-gram distances thus determined with a predetermined threshold, eliminates any candidate domain having an n-gram distance from the seed domain that exceeds the predetermined threshold, and provides remaining candidate domains to a downstream computing facility such as a user interface or an analytical module operating in an enterprise computing environment. 1. A method , comprising: loading a seed domain n-gram for the seed domain and a candidate domain n-gram for the each candidate domain in the computer memory;', 'comparing the seed domain n-gram and the candidate domain n-gram to identify any identical grams in the seed domain n-gram and the candidate domain n-gram;', 'removing any identical grams from the seed domain n-gram in the computer memory; and', 'counting a number of grams left in the seed domain n-gram in the computer memory after the removing, the number representing the n-gram distance between the seed domain and the each candidate domain;, 'determining an n-gram distance between a seed domain and each candidate domain of a plurality of candidate domains, the determining performed by a domain filter running on a computing device having a computer memory, the determining comprisingcomparing n-gram distances determined by the domain filter with a predetermined threshold;eliminating, from the plurality of candidate domains, any candidate domain having an n- ...

Identifying legitimate websites to remove false positives from domain discovery analysis

Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate (605) a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive (610) information identifying a first domain for analysis and may execute (615-645) one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution (615-645) of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send (650) one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Systems and methods for email campaign domain classification

A domain processing system receives or collects (201, 203) raw data containing sample domains each having a known class identity indicating whether a domain is conducting an email campaign. The domain processing system extracts (205) features from each of the sample domains and selects (207) features of interest from the features, including at least a feature particular to a seed domain and features particular to email activities over a time line that includes days before and after a domain creation date. The features of interest are used to create (211) feature vectors which, in turn, are used to train (220) a machine learning model, the training (220) including optimizing a neural network structure iteratively until stopping criteria are satisfied. The trained model functions as an email campaign domain classifier operable to classify candidate domains with unknown class identities such that each of the candidate domain is classified as conducting or not conducting an email campaign.

Domain name classification systems and methods

Disclosed is a domain engineering analysis solution that determines relevance of a domain name to a brand name in which a domain name, brand name, and identification of a substring of the domain name may be provided to or obtained by a computer embodying a domain engineering analyzer. A list of features may be determined. The list of features may include a lexicon, or a set of key-value pairs that encode information about terms included as substrings in the domain name. Determining the features may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, and determining and scoring a relevance of each term to the brand name. The determined relevance and score of each term may be provided to a client. This relevance analysis can be dynamically applied in an online process or proactively applied in an offline process.

Identifying legitimate websites to remove false positives from domain discovery analysis

Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Identifying legitimate websites to remove false positives from domain discovery analysis

Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Visual domain detection systems and methods

Disclosed is an effective domain name defense solution in which a domain name string may be provided to or obtained by a computer embodying a visual domain analyzer. The domain name string may be rendered or otherwise converted to an image. An optical character recognition function may be applied to the image to read out a text string which can then be compared with a protected domain name to determine whether the text string generated by the optical character recognition function from the image converted from the domain name string is similar to or matches the protected domain name. This visual domain analysis can be dynamically applied in an online process or proactively applied in an offline process to hundreds of millions of domain names.

Data enrichment systems and methods for abbreviated domain name classification

To find enriching contextual information for an abbreviated domain name, a data enrichment engine can comb through web content source code corresponding to the abbreviated domain name. From textual content in the web content source code, the data enrichment engine can identify words with initial characters that match characters of the abbreviated domain name to thereby establish a relationship there-between. This relationship can facilitate more accurate and efficient domain name classification. The data enrichment engine can query a WHOIS server to find out if candidate domains having initial characters that match the characters of the abbreviated domain name are registered to the same entity. If so, keywords can be extracted from the candidate domains and used to find more relevant domains for domain risk analysis and detection. Candidate domains determined by the data enrichment engine can be provided to a downstream computing facility such as a domain filter.

Intelligent clustering systems and methods useful for domain protection

An intelligent clustering system has a dual-mode clustering engine for mass-processing and stream-processing. A tree data model is utilized to describe heterogenous data elements in an accurate and uniform way and to calculate a tree distance between each data element and a cluster representative. The clustering engine performs element clustering, through sequential or parallel stages, to cluster the data elements based at least in part on calculated tree distances and parameter values reflecting user-provided domain knowledge on a given objective. The initial clusters thus generated are fine-tuned by undergoing an iterative self-tuning process, which continues when new data is streamed from data source(s). The clustering engine incorporates stage-specific domain knowledge through stage-specific configurations. This hybrid approach combines strengths of user domain knowledge and machine learning power. Optimized clusters can be used by a prediction engine to increase prediction performance and/or by a network security specialist to identify hidden patterns.

Identifying legitimate websites to remove false positives from domain discovery analysis

Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate (605) a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive (610) information identifying a first domain for analysis and may execute (615-645) one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution (615-645) of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send (650) one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Domain name classification systems and methods

Disclosed is a domain engineering analysis solution that determines relevance of a domain name to a brand name in which a domain name, brand name, and identification of a substring of the domain name may be provided to or obtained by a computer embodying a domain engineering analyzer. A list of features may be determined. The list of features may include a lexicon, or a set of key-value pairs that encode information about terms included as substrings in the domain name. Determining the features may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, and determining and scoring a relevance of each term to the brand name. The determined relevance and score of each term may be provided to a client. This relevance analysis can be dynamically applied in an online process or proactively applied in an offline process.

Data enrichment systems and methods for abbreviated domain name classification

To find enriching contextual information for an abbreviated domain name, a data enrichment engine can comb through web content source code corresponding to the abbreviated domain name. From textual content in the web content source code, the data enrichment engine can identify words with initial characters that match characters of the abbreviated domain name to thereby establish a relationship there-between. This relationship can facilitate more accurate and efficient domain name classification. The data enrichment engine can query a WHOIS server to find out if candidate domains having initial characters that match the characters of the abbreviated domain name are registered to the same entity. If so, keywords can be extracted from the candidate domains and used to find more relevant domains for domain risk analysis and detection. Candidate domains determined by the data enrichment engine can be provided to a downstream computing facility such as a domain filter.

Identifying legitimate websites to remove false positives from domain discovery analysis

Domain name processing systems and methods

A domain processing system is enhanced with a first-pass domain filter configured for loading character strings representing a pair of domains consisting of a seed domain and a candidate domain in a computer memory, computing a similarity score and a dynamic threshold for the pair of domains, determining whether the similarity score exceeds the dynamic threshold, and iterating the loading, the computing, and the determining for each of a plurality of candidate domains paired with the seed domain. A similarity score between the seed domain and the candidate domain and a corresponding dynamic threshold for the pair are computed. If the similarity score exceeds the corresponding dynamic threshold, the candidate domain is provided to a downstream computing facility. Otherwise, it is dropped. In this way, the first-pass domain filter can significantly reduce the number of domains that otherwise would need to be processed by the downstream computing facility.

Data enrichment systems and methods for abbreviated domain name classification

To find enriching contextual information for an abbreviated domain name, a data enrichment engine can comb through web content source code corresponding to the abbreviated domain name. From textual content in the web content source code, the data enrichment engine can identify words with initial characters that match characters of the abbreviated domain name to thereby establish a relationship there-between. This relationship can facilitate more accurate and efficient domain name classification. The data enrichment engine can query a WHOIS server to find out if candidate domains having initial characters that match the characters of the abbreviated domain name are registered to the same entity. If so, keywords can be extracted from the candidate domains and used to find more relevant domains for domain risk analysis and detection. Candidate domains determined by the data enrichment engine can be provided to a downstream computing facility such as a domain filter.

Domain name processing systems and methods

A domain processing system is enhanced with a first-pass domain filter configured for loading character strings representing a pair of domains consisting of a seed domain and a candidate domain in a computer memory, computing a similarity score and a dynamic threshold for the pair of domains, determining whether the similarity score exceeds the dynamic threshold, and iterating the loading, the computing, and the determining for each of a plurality of candidate domains paired with the seed domain. A similarity score between the seed domain and the candidate domain and a corresponding dynamic threshold for the pair are computed. If the similarity score exceeds the corresponding dynamic threshold, the candidate domain is provided to a downstream computing facility. Otherwise, it is dropped. In this way, the first-pass domain filter can significantly reduce the number of domains that otherwise would need to be processed by the downstream computing facility.

Identifying legitimate websites to remove false positives from domain discovery analysis

Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate (605) a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive (610) information identifying a first domain for analysis and may execute (615-645) one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution (615-645) of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send (650) one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Systems and methods for email campaign domain classification

Domain name classification systems and methods

Disclosed is a domain engineering analysis solution that determines relevance of a domain name to a brand name in which a domain name, brand name, and identification of a substring of the domain name may be provided to or obtained by a computer embodying a domain engineering analyzer. A list of features may be determined. The list of features may include a lexicon, or a set of key-value pairs that encode information about terms included as substrings in the domain name. Determining the features may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, and determining and scoring a relevance of each term to the brand name. The determined relevance and score of each term may be provided to a client. This relevance analysis can be dynamically applied in an online process or proactively applied in an offline process.

Threat actor identification systems and methods

A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

Spammy app detection systems and methods

A spammy app detection system may search a database for any new social media application discovered during a recent time period. A spammy app detection algorithm can be executed on the spammy app detection system on an hourly basis to determine whether any of such applications is spammy (i.e., posting to a social media page anomalously). The spammy app detection algorithm has a plurality of stages. When a new social media application fails any of the stages, it is identified as a spammy app. The spammy app detection system can update the database accordingly, ban the spammy application from further posting to a social media page monitored by the spammy app detection system, notify an entity associated with the social media page, further process the spammy application, and so on. In this way, the spammy app detection system can reduce digital risk and spam attacks.

Detecting random and/or algorithmically-generated character sequences in domain names

Aspects of the disclosure relate to detecting random and/or algorithmically-generated character sequences in domain names. A computing platform may train a machine learning model based on a set of semantically-meaningful words. Subsequently, the computing platform may receive a seed string and a set of domains to be analyzed in connection with the seed string. Based on the machine learning model, the computing platform may apply a classification algorithm to the seed string and the set of domains, where applying the classification algorithm to the seed string and the set of domains produces a classification result. Thereafter, the computing platform may store the classification result.

Threat actor identification systems and methods

A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

Threat actor identification

Domain name processing systems and methods

A domain processing system is enhanced with a first-pass domain filter configured for loading character strings representing a pair of domains consisting of a seed domain and a candidate domain in a computer memory, computing a similarity score and a dynamic threshold for the pair of domains, determining whether the similarity score exceeds the dynamic threshold, and iterating the loading, the computing, and the determining for each of a plurality of candidate domains paired with the seed domain. A similarity score between the seed domain and the candidate domain and a corresponding dynamic threshold for the pair are computed. If the similarity score exceeds the corresponding dynamic threshold, the candidate domain is provided to a downstream computing facility. Otherwise, it is dropped. In this way, the first-pass domain filter can significantly reduce the number of domains that otherwise would need to be processed by the downstream computing facility.

Intelligent clustering systems and methods useful for domain protection

An intelligent clustering system has a dual-mode clustering engine for mass-processing and stream-processing. A tree data model is utilized to describe heterogenous data elements in an accurate and uniform way and to calculate a tree distance between each data element and a cluster representative. The clustering engine performs element clustering, through sequential or parallel stages, to cluster the data elements based at least in part on calculated tree distances and parameter values reflecting user-provided domain knowledge on a given objective. The initial clusters thus generated are fine-tuned by undergoing an iterative self-tuning process, which continues when new data is streamed from data source(s). The clustering engine incorporates stage-specific domain knowledge through stage-specific configurations. This hybrid approach combines strengths of user domain knowledge and machine learning power. Optimized clusters can be used by a prediction engine to increase prediction performance and/or by a network security specialist to identify hidden patterns.

Intelligent clustering systems and methods useful for domain protection

An intelligent clustering system has a dual-mode clustering engine for mass-processing and stream-processing. A tree data model is utilized to describe heterogenous data elements in an accurate and uniform way and to calculate a tree distance between each data element and a cluster representative. The clustering engine performs element clustering, through sequential or parallel stages, to cluster the data elements based at least in part on calculated tree distances and parameter values reflecting user-provided domain knowledge on a given objective. The initial clusters thus generated are fine-tuned by undergoing an iterative self-tuning process, which continues when new data is streamed from data source(s). The clustering engine incorporates stage-specific domain knowledge through stage-specific configurations. This hybrid approach combines strengths of user domain knowledge and machine learning power. Optimized clusters can be used by a prediction engine to increase prediction performance and/or by a network security specialist to identify hidden patterns.

Detecting Random and/or Algorithmically-Generated Character Sequences in Domain Names

Aspects of the disclosure relate to detecting random and/or algorithmically-generated character sequences in domain names. A computing platform may train a machine learning model based on a set of semantically-meaningful words. Subsequently, the computing platform may receive a seed string and a set of domains to be analyzed in connection with the seed string. Based on the machine learning model, the computing platform may apply a classification algorithm to the seed string and the set of domains, where applying the classification algorithm to the seed string and the set of domains produces a classification result. Thereafter, the computing platform may store the classification result.

Threat actor identification systems and methods

A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

Fuzzy hash of behavioral results

A computerized method for classifying objects in a malware system is described. The method includes detecting behaviors of an object for classification after processing of the object has begun. Data associated with the detected behaviors is collected, and a fuzzy hash for the received object is generated. The generation of the fuzzy hash may include (i) removing a portion of the data associated with the detected behaviors, and (ii) performing a hash operation on a remaining portion of the data associated with the detected behaviors. Thereafter, the fuzzy hash for the received object is compared to a fuzzy hash of an object in a preexisting cluster to generate a similarity measure. The received object is associated with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value. Thereafter, the results are reported.

Malware analysis in accordance with an analysis plan

Techniques for malware detection are described. Herein, a system, which detects malware in a received specimen, comprises a processor and a memory. Communicatively coupled to the processor, the memory comprises a controller that controls analysis of the specimen for malware in accordance with an analysis plan. The memory further comprises (a) a static analysis module that performs at least a first static analysis to identify a suspicious indicator of malware and at least partially determine that the specimen includes a packed object; (b) an emulation analysis module that emulates operations associated with processing of the specimen by a software application or library, including unpacking an object of the specimen when the specimen is determined by the static analysis module to include the packed object, and monitors one or more behaviors of the specimen during the emulated operations; and a classifier that determines whether the specimen should be classified as malicious.

Framework for classifying an object as malicious with machine learning for deploying updated predictive models

According to one embodiment, an apparatus comprises a detection engine and a classification engine. The detection engine is responsible for analyzing an object to determine if the object is malicious. The classification engine is configured to (i) receive results of the analysis of the object conducted by the detection engine and (ii) analyze, based at least in part on the results from the detection engine, whether the object is malicious in accordance with a predictive model. Responsive to the detection engine and the classification engine differing in determinations as to whether the object is malicious, information associated with at least a portion of the results of the analysis of the object by at least one of the detection engine and the classification engine is uploaded for determining whether an update of the predictive model is to occur. An update of the predictive model is subsequently received by the classification engine.

System and method for analyzing web content

A system and computer based method are provided for identifying active content in websites on a network. In one aspects, a method for classifying web content includes determining a first property associated with static content of a web page, determining a second property associated with the content of the web page based at least in part on active content associated with the web page, evaluating a logical expression relating the first property and the second property, at least in part by evaluating whether a constant value matches at least a portion of the content of the web page, associating the web page with a category based on a result of the evaluation, and determining whether to allow network access to the web page based on the category.