| CPC H04L 63/1483 (2013.01) [G06F 18/2431 (2023.01); H04L 9/3247 (2013.01); H04L 63/1416 (2013.01)] | 17 Claims |
|
1. A system for phishing website classification, comprising: a processor configured to:
access a first website comprising a first plurality of images, wherein the first website is known to be a phishing website that is attempting to impersonate a target website;
extract the first plurality of images from the first website;
for at least a first image from the first plurality of images, determine a first hash value for the first image, wherein the first hash value comprises a first serial number uniquely identifying the first image;
determine a second hash value for at least a second image from the first plurality of images, wherein the second hash value comprises a second serial number uniquely identifying the second image;
determine a first overall hash value for the first website, wherein:
determining the first overall hash value comprises hashing at least the first hash value and the second hash value; and
the first overall hash value represents a first signature associated with the first website;
access a list of a plurality of phishing websites, wherein:
each phishing website from among the plurality of phishing websites is associated with a different overall hash value from among a plurality of overall hash values, and
each overall hash value from among the plurality of overall hash values is used to identify a different phishing website from among the plurality of phishing websites;
compare the first overall hash value with at least a second overall hash value from among the plurality of overall hash values, wherein the second overall hash value is associated with a particular phishing website, wherein the second overall hash value is generated from hashing at least a third hash value and a fourth hash value, wherein the third hash value uniquely identifies a third image from the particular phishing website, and the fourth hash value uniquely identifies a fourth image from the particular phishing website;
determine whether the first overall hash value corresponds to the second overall hash value;
in response to determining that the first overall hash value corresponds to the second overall hash value, classify the first website with the particular phishing website in a first phishing website class; and
a memory, operably coupled with the processor, and operable to store the list of the plurality of phishing websites.
|