| CPC H04L 63/1483 (2013.01) [H04L 51/21 (2022.05); H04L 61/5007 (2022.05); H04L 63/1416 (2013.01)] | 18 Claims |
|
1. A system, comprising:
a processor configured to:
monitor network activity associated with a session to detect a request to access a site;
determine advanced application identification associated with the site, comprising to:
perform the following:
A) determine an IP address range of an expected target site based on a website associated with the expected target site;
determine whether an IP address of the site falls within the IP address range of the expected target site, comprising to:
determine whether the IP address of the site resolves to an IP address owned by the expected target site; and
in response to a determination that the IP address of the site does not resolve to the IP address owned by the expected target site, determine that the IP address of the site does not fall within the IP address range of the expected target site; and
in response to a determination that the IP address of the site falls outside the IP address range of the expected target site, determine that the site is a potential phishing site; and
B) determine whether a domain of the site is a newly registered domain (NRD) and the site is visually similar to a well-known similar site, wherein the well-known similar site is a top 10000 site by traffic, wherein the well-known similar site is a legitimate site, wherein the NRD has been registered less than or equal to a predetermined threshold time; and
in response to a determination that the domain of the site is the NRD and the site is visually similar to the well-known site, determine that the site is a potential phishing site; and
identify the site as a phishing site based on the advanced application identification; and
a memory coupled to the processor and configured to provide the processor with instructions.
|