-
公开(公告)号:US08745731B2
公开(公告)日:2014-06-03
申请号:US12061664
申请日:2008-04-03
申请人: Kannan Achan , Yinglian Xie , Fang Yu
发明人: Kannan Achan , Yinglian Xie , Fang Yu
CPC分类号: H04L63/1441 , H04L2463/144
摘要: Identification and prevention of email spam that originates from botnets may be performed by finding similarity in their host property and behavior patterns using a set of labeled data. Clustering models of host properties pertaining to previously identified and appropriately tagged botnet hosts may be learned. Given labeled data, each botnet may be examined individually and a clustering model learned to reflect upon a set of selected host properties. Once a model has been learned for every botnet, clustering behavior may be used to look for host properties that fit into a profile. Such traffic can be either discarded or tagged for subsequent analysis and can also be used to profile botnets preventing them from launching other attacks. In addition, models of individual botnets can be further clustered to form superclusters, which can help understand botnet behavior and detect future attacks.
摘要翻译: 识别和预防来自僵尸网络的电子邮件垃圾邮件可以通过使用一组标签数据来查找其主机属性和行为模式的相似性来执行。 可以了解与以前识别和适当标记的僵尸网络主机相关的主机属性的聚类模型。 给定标签数据,可以单独检查每个僵尸网络,并且学习聚类模型以反映一组选定的主机属性。 一旦为每个僵尸网络学习了一个模型,可以使用聚类行为来查找适合于配置文件的主机属性。 这样的流量可以被丢弃或被标记用于后续分析,并且还可以用于描述僵尸网络,防止他们发起其他攻击。 另外,个人僵尸网络的模型可以进一步集群以形成超级集群,这可以帮助了解僵尸网络行为并检测未来的攻击。
-
公开(公告)号:US08856360B2
公开(公告)日:2014-10-07
申请号:US11821211
申请日:2007-06-22
申请人: Kannan Achan , Eliot Gillum , Yinglian Xie , Fang Yu
发明人: Kannan Achan , Eliot Gillum , Yinglian Xie , Fang Yu
CPC分类号: H04L63/1408 , H04L29/12783 , H04L61/35
摘要: Dynamic IP addresses may be automatically identified and their dynamics patterns may be analyzed. Multi-user IP address blocks are determined as candidates for further analysis. An entropy score is determined for each IP address in every candidate block to distinguish between a dynamic IP and a static IP shared by multiple users. IP addresses with high entropy scores are grouped, and then analyzed, and may be used in various applications, such as spam filtering.
摘要翻译: 可以自动识别动态IP地址,并且可以分析其动态模式。 多用户IP地址块被确定为进一步分析的候选者。 为每个候选块中的每个IP地址确定熵分数,以区分动态IP和由多个用户共享的静态IP。 具有高熵分数的IP地址被分组,然后分析,并且可以用于各种应用中,例如垃圾邮件过滤。
-
公开(公告)号:US20090254989A1
公开(公告)日:2009-10-08
申请号:US12061664
申请日:2008-04-03
申请人: Kannan Achan , Yinglian Xie , Fang Yu
发明人: Kannan Achan , Yinglian Xie , Fang Yu
CPC分类号: H04L63/1441 , H04L2463/144
摘要: Identification and prevention of email spam that originates from botnets may be performed by finding similarity in their host property and behavior patterns using a set of labeled data. Clustering models of host properties pertaining to previously identified and appropriately tagged botnet hosts may be learned. Given labeled data, each botnet may be examined individually and a clustering model learned to reflect upon a set of selected host properties. Once a model has been learned for every botnet, clustering behavior may be used to look for host properties that fit into a profile. Such traffic can be either discarded or tagged for subsequent analysis and can also be used to profile botnets preventing them from launching other attacks. In addition, models of individual botnets can be further clustered to form superclusters, which can help understand botnet behavior and detect future attacks.
摘要翻译: 识别和预防来自僵尸网络的电子邮件垃圾邮件可以通过使用一组标签数据来查找其主机属性和行为模式的相似性来执行。 可以了解与以前识别和适当标记的僵尸网络主机相关的主机属性的聚类模型。 给定标签数据,可以单独检查每个僵尸网络,并且学习聚类模型以反映一组选定的主机属性。 一旦为每个僵尸网络学习了一个模型,可以使用聚类行为来查找适合于配置文件的主机属性。 这样的流量可以被丢弃或被标记用于后续分析,并且还可以用于描述僵尸网络,防止他们发起其他攻击。 另外,个人僵尸网络的模型可以进一步集群以形成超级集群,这可以帮助了解僵尸网络行为并检测未来的攻击。
-
公开(公告)号:US20090265786A1
公开(公告)日:2009-10-22
申请号:US12104441
申请日:2008-04-17
申请人: Yinglian Xie , Fang Yu , Kannan Achan , Rina Panigrahy , Ivan Osipkov , Geoffrey J. Hulten
发明人: Yinglian Xie , Fang Yu , Kannan Achan , Rina Panigrahy , Ivan Osipkov , Geoffrey J. Hulten
IPC分类号: G06F21/00
CPC分类号: H04L63/1441 , G06F21/564 , G06F2221/2145 , H04L51/12 , H04L63/126 , H04L2463/144
摘要: A framework may be used for generating URL signatures to identify botnet spam and membership. The framework may take a set of unlabeled emails as input that are grouped based on URLs contained within the emails. The framework may return a set of spam URL signatures and a list of corresponding botnet host IP addresses by analyzing the URLs within the emails that are contained within the groups. Each URL signature may be in the form of either a complete URL string or a URL regular expression. The signatures may be used to identify spam emails launched from botnets, while the knowledge of botnet host identities can help filter other spam emails also sent by them.
摘要翻译: 一个框架可以用于生成URL签名来识别僵尸网络垃圾邮件和会员资格。 框架可以采用一组未标记的电子邮件作为基于邮件中包含的URL分组的输入。 框架可以通过分析包含在组内的电子邮件中的URL来返回一组垃圾邮件URL签名和相应僵尸网络主机IP地址的列表。 每个URL签名可以是完整的URL字符串或URL正则表达式的形式。 签名可用于识别从僵尸网络发起的垃圾邮件,而僵尸网络主机身份的知识可以帮助过滤他们发送的其他垃圾邮件。
-
公开(公告)号:US20080320119A1
公开(公告)日:2008-12-25
申请号:US11821211
申请日:2007-06-22
申请人: Kannan Achan , Eliot Gillum , Yinglian Xie , Fang Yu
发明人: Kannan Achan , Eliot Gillum , Yinglian Xie , Fang Yu
IPC分类号: G06F15/177
CPC分类号: H04L63/1408 , H04L29/12783 , H04L61/35
摘要: Dynamic IP addresses may be automatically identified and their dynamics patterns may be analyzed. Multi-user IP address blocks are determined as candidates for further analysis. An entropy score is determined for each IP address in every candidate block to distinguish between a dynamic IP and a static IP shared by multiple users. IP addresses with high entropy scores are grouped, and then analyzed, and may be used in various applications, such as spam filtering.
摘要翻译: 可以自动识别动态IP地址,并且可以分析其动态模式。 多用户IP地址块被确定为进一步分析的候选者。 为每个候选块中的每个IP地址确定熵分数,以区分动态IP和由多个用户共享的静态IP。 具有高熵分数的IP地址被分组,然后分析,并且可以用于各种应用中,例如垃圾邮件过滤。
-
公开(公告)号:US08434150B2
公开(公告)日:2013-04-30
申请号:US13070497
申请日:2011-03-24
申请人: Yinglian Xie , Fang Yu , Martin Abadi , Eliot C. Gillum , Junxian Huang , Zhuoqing Morley Mao , Jason D. Walter , Krishna Vitaldevara
发明人: Yinglian Xie , Fang Yu , Martin Abadi , Eliot C. Gillum , Junxian Huang , Zhuoqing Morley Mao , Jason D. Walter , Krishna Vitaldevara
IPC分类号: H04L29/06
CPC分类号: H04L63/145 , H04L51/12
摘要: Detection of user accounts associated with spammer attacks may be performed by constructing a social graph of email users. Biggest connected components (BCC) of the social graph may be used to identify legitimate user accounts, as the majority of the users in the biggest connected components are legitimate users. BCC users may be used to identify more legitimate users. Using degree-based detection techniques and PageRank based detection techniques, the hijacked user accounts and spammer user accounts may be identified. The users' email sending and receiving behaviors may also be examined, and the subgraph structure may be used to detect stealthy attackers. From the social graph analysis, legitimate user accounts, malicious user accounts, and compromised user accounts can be identified.
摘要翻译: 可以通过构建电子邮件用户的社交图来执行与垃圾邮件发送者攻击相关联的用户帐户的检测。 社交图的最大连接组件(BCC)可用于识别合法用户帐户,因为最大连接组件中的大多数用户是合法用户。 BCC用户可能用于识别更多的合法用户。 使用基于程度的检测技术和基于PageRank的检测技术,可以识别被劫持的用户帐户和垃圾邮件发送者用户帐户。 还可以检查用户的电子邮件发送和接收行为,并且子图结构可以用于检测隐身攻击者。 从社交图分析,可以识别合法用户帐户,恶意用户帐户和受影响的用户帐户。
-
公开(公告)号:US20110208714A1
公开(公告)日:2011-08-25
申请号:US12708541
申请日:2010-02-19
申请人: David Soukal , Fang Yu , Yinglian Xie , Qifa Ke , Zijian Zheng , Frederic H. Behr, JR.
发明人: David Soukal , Fang Yu , Yinglian Xie , Qifa Ke , Zijian Zheng , Frederic H. Behr, JR.
CPC分类号: G06F21/552 , G06F16/951 , H04L63/1408 , H04L63/1425 , H04L63/1458 , H04L2463/144
摘要: A framework may be used for identifying low-rate search bot traffic within query logs by capturing groups of distributed, coordinated search bots. Search log data may be input to a history-based anomaly detection engine to determine if query-click pairs associated with a query are suspicious in view of historical query-click pairs for the query. Users associated with suspicious query-click pairs may be input to a matrix-based bot detection engine to determine correlations between queries submitted by the users. Those users indicating strong correlations may be categorized as bots, whereas those who do not may be categorized as part of flash crowd traffic.
摘要翻译: 可以通过捕获分布式,协调的搜索机器人组来识别查询日志中的低速搜索bot流量的框架。 搜索日志数据可以被输入到基于历史的异常检测引擎,以鉴于查询的历史查询 - 点击对来确定与查询相关联的查询 - 点击对是否是可疑的。 与可疑查询点击对相关联的用户可以输入到基于矩阵的机器人检测引擎,以确定用户提交的查询之间的相关性。 指示强相关性的用户可能被归类为机器人,而不能被分类为闪存人群流量的一部分的那些用户。
-
公开(公告)号:US08789171B2
公开(公告)日:2014-07-22
申请号:US12055321
申请日:2008-03-26
申请人: Ivan Osipkov , Geoffrey Hulten , John Mehr , Yinglian Xie , Fang Yu
发明人: Ivan Osipkov , Geoffrey Hulten , John Mehr , Yinglian Xie , Fang Yu
IPC分类号: H04L29/06
CPC分类号: H04L67/22 , H04L61/2061 , H04L63/1408 , H04L2463/144
摘要: The claimed subject matter is directed to mining user behavior data for increasing Internet Protocol (“IP”) space intelligence. Specifically, the claimed subject matter provides a method and system of mining user behavior within an IP address space and the application of the IP address space intelligence derived from the mined user behavior.In one embodiment, the IP address space intelligence is formed and/or increased with information obtained from the mined user behavior data. A system of uniquely-identified users is monitored and their behavior within the IP address space is recorded. Further data is mined from estimated characteristics about the user, including the nature of the IP address the user uses to log into the service, and characterizing the IP address according to a network type.
摘要翻译: 所要求保护的主题涉及用于增加因特网协议(“IP”)空间智能的采矿用户行为数据。 具体地,所要求保护的主题提供了在IP地址空间内挖掘用户行为的方法和系统,以及从开采的用户行为导出的IP地址空间智能的应用。 在一个实施例中,使用从开采的用户行为数据获得的信息来形成和/或增加IP地址空间智能。 监视唯一标识的用户的系统,并记录其在IP地址空间内的行为。 进一步的数据从关于用户的估计特征开始,包括用户用于登录服务的IP地址的性质,以及根据网络类型表征IP地址。
-
公开(公告)号:US08069210B2
公开(公告)日:2011-11-29
申请号:US12249732
申请日:2008-10-10
申请人: Eliot C. Gillum , Qifa Ke , Yinglian Xie , Fang Yu , Yao Zhao
发明人: Eliot C. Gillum , Qifa Ke , Yinglian Xie , Fang Yu , Yao Zhao
IPC分类号: G06F15/16
CPC分类号: H04L51/12 , G06Q30/02 , H04L63/1416 , H04L2463/144
摘要: Computer implemented methods are disclosed for detecting bot-user groups that send spam email over a web-based email service. Embodiments of the present system employ a two-prong approach to detecting bot-user groups. The first prong employs a historical-based approach for detecting anomalous changes in user account information, such as aggressive bot-user signups. The second prong of the present system entails constructing a large user-user relationship graph, which identifies bot-user sub-graphs through finding tightly connected subgraph components.
摘要翻译: 公开了用于检测通过基于网络的电子邮件服务发送垃圾邮件的机器人用户组的计算机实现的方法。 本系统的实施例采用双管齐下方法来检测机器人用户组。 第一个分支采用基于历史的方法来检测用户帐户信息的异常变化,例如侵略性的漫游器用户注册。 本系统的第二个分支需要构建一个大的用户关系图,通过查找紧密连接的子图组件来识别机器人用户子图。
-
公开(公告)号:US20110283360A1
公开(公告)日:2011-11-17
申请号:US12780935
申请日:2010-05-17
申请人: Martin Abadi , Yinglian Xie , Fang Yu , John Payyappillil John
发明人: Martin Abadi , Yinglian Xie , Fang Yu , John Payyappillil John
IPC分类号: G06F21/00
CPC分类号: H04L63/1416 , H04L63/0227
摘要: A framework identifies malicious queries contained in search logs to uncover relationships between the malicious queries and the potential attacks launched by attackers submitting the malicious queries. A small seed set of malicious queries may be used to identify an IP address in the search logs that submitted the malicious queries. The seed set may be expanded by examining all queries in the search logs submitted by the identified IP address. Regular expressions may be generated from the expanded set of queries and used for detecting yet new malicious queries. Upon identifying the malicious queries, the framework may be used to detect attacks on vulnerable websites, spamming attacks, and phishing attacks.
摘要翻译: 框架识别搜索日志中包含的恶意查询,以发现恶意查询与攻击者提交恶意查询的潜在攻击之间的关系。 可以使用小型种族恶意查询来标识提交恶意查询的搜索日志中的IP地址。 可以通过检查由所标识的IP地址提交的搜索日志中的所有查询来扩展种子集。 可以从扩展的查询集生成正则表达式,并用于检测新的恶意查询。 在识别恶意查询后,该框架可用于检测对易受攻击网站的攻击,垃圾邮件攻击和网络钓鱼攻击。
-
-
-
-
-
-
-
-
-
搜索结果
58 条记录 (耗时 0.021 秒)
