US 12,457,237 B2
Automated generation of behavioral signatures for malicious web campaigns
William Russell Melicher, Sunnyvale, CA (US); Oleksii Starov, Sunnyvale, CA (US); Shresta Bellary Seetharam, Sunnyvale, CA (US); and Shaown Sarker, Santa Clara, CA (US)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Jan. 31, 2023, as Appl. No. 18/104,058.
Claims priority of provisional application 63/305,967, filed on Feb. 2, 2022.
Prior Publication US 2023/0254338 A1, Aug. 10, 2023
Int. Cl. H04L 9/40 (2022.01); G06F 16/951 (2019.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01)
CPC H04L 63/1441 (2013.01) [G06F 16/951 (2019.01); H04L 63/0245 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system, comprising:
a memory configured to provide instructions; and
a processor coupled to the memory and configured to:
crawl a plurality of web sites associated with a malware campaign for behavior related and static related attributes;
determine behavior related and static related discriminating repeating attributes as malware campaign related footprint patterns, wherein the discriminating repeating attributes are associated with more than one of the crawled web sites and are not associated with benign web sites, wherein the behavior related discriminating repeating attributes are based on browser application programming interface (API) calls from dynamic execution;
automatically generate a transparently human-interpretable malware campaign signature represented in plain text based on the malware campaign related footprint patterns; and
distribute the malware campaign signature to a firewall, wherein the firewall is configured to apply the malware campaign signature based on monitored network traffic activity, and wherein a visited web site is detected to be associated with the malware campaign based on a match with the malware campaign signature.