| CPC H04L 63/1416 (2013.01) [H04L 63/0236 (2013.01); H04L 63/145 (2013.01); H04L 63/1425 (2013.01); H04L 63/20 (2013.01)] | 18 Claims |
|
1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for analyzing domain names to detect potential security risks, the operations comprising:
identifying a reference name;
identifying a domain name;
performing a real time analysis of the domain name, the analysis comprising:
applying a language processing protocol to the domain name, wherein the domain name is an input to the application of the language processing protocol and the language processing protocol is a word embedding algorithm for separating the domain name into two or more subparts, wherein each of the two or more subparts comprises at least one character;
calculating, for each of the at least two subparts, a first score using term frequency inverse document frequency;
creating vectors associated with the word embedding algorithm for the domain name based on the first score for each of the at least two subparts;
generating, based on the domain name, the vectors, the first score, and the application of the language processing protocol, a second score indicating a similarity between the domain name and the reference name;
accessing a similarity threshold; and
comparing the second score with the similarity threshold;
determining, based on the comparison, that the second score exceeds the threshold; and
performing, based on the determination, a security action corresponding to the domain name, the security action comprising at least one of:
sending an alert indicating the domain name is potentially malicious;
displaying a visual notation associated with the domain name;
blocking access to the domain name;
preventing an email from being sent to an email address associated with the domain name; or
preventing an email from being received from an email address associated with the domain name.
|