US 11,956,257 B2
Domain malware family classification
Aviv Ron, Klachim (IL); Alon Freund, Maale Adumim (IL); Avishay Bartik, Be'er Sheva (IL); David Lazar, Rishon LeZion (IL); and Yakov Shay-El Cohen, Rishon Lezion (IL)
Assigned to International Business Machines Corporation, Armonk, NY (US)
Filed by International Business Machines Corporation, Armonk, NY (US)
Filed on Oct. 13, 2021, as Appl. No. 17/500,018.
Prior Publication US 2023/0114721 A1, Apr. 13, 2023
Int. Cl. H04L 29/06 (2006.01); G06F 18/23 (2023.01); G06K 9/62 (2022.01); H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) [G06F 18/23 (2023.01); H04L 63/1425 (2013.01); H04L 63/145 (2013.01); H04L 63/20 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer implemented method for classifying domains to malware families, the method comprising:
identifying a corpus of malicious domains;
identifying one or more suspicious domains;
extracting a timeframe corresponding to the one or more suspicious domains;
calculating a rank correlation coefficient between the one or more suspicious domains and a current seed domain of the corpus of malicious domains;
determining whether the rank correlation coefficient exceeds a rank threshold for the one or more suspicious domains to provide a similarity count indicating a number of suspicious domains of the one or more suspicious domains whose rank correlation coefficients exceed the rank threshold;
comparing the similarity count to a relation threshold; and
responsive to determining the similarity count exceeds the relation threshold, applying a tag to the one or more suspicious domains indicating that the one or more suspicious domains correspond to a same malware family as the current seed domain.