US 12,132,762 B2
Electronic device and method for detecting malicious server
In Wook Hwang, Seongnam-si (KR); and Chang Hoon Yoon, Seongnam-si (KR)
Assigned to S2W INC., Seongnam-si (KR)
Filed by S2W INC., Seongnam-si (KR)
Filed on Dec. 1, 2023, as Appl. No. 18/526,827.
Claims priority of application No. 10-2022-0167625 (KR), filed on Dec. 5, 2022.
Prior Publication US 2024/0187451 A1, Jun. 6, 2024
Int. Cl. H04L 9/40 (2022.01); G06F 16/955 (2019.01); H04L 69/16 (2022.01); H04L 69/22 (2022.01)
CPC H04L 63/1483 (2013.01) [G06F 16/9566 (2019.01); H04L 69/16 (2013.01); H04L 69/22 (2013.01)] 8 Claims
OG exemplary drawing
 
1. A method of detecting a malicious server by an electronic device, the method comprising:
acquiring first feature information of a server Internet protocol (IP) of a malicious website;
acquiring second feature information of a server IP of a comparative website from a response packet of the comparative website;
comparing the first feature information with the second feature information; and
determining that the malicious website has been changed to the comparative website on the basis of a comparison result,
wherein the first feature information includes a plurality of first pieces of protocol information of the server IP of the malicious website, and the second feature information includes a plurality of second pieces of protocol information of the server IP of the comparative website,
wherein the determining that the malicious website has been changed to the comparative website comprises:
calculating similarities between first values of the plurality of first pieces of protocol information included in the first feature information and second values of the plurality of second pieces of protocol information included in the second feature information, wherein the calculating of the similarities is performed by calculating a similarity between each value of the first values of the plurality of first pieces of protocol information and a corresponding value of the second values of the plurality of second pieces of protocol information with respect to a same type of protocol information among a plurality of types of protocol information;
calculating an add-up similarity of the calculated similarities by giving different weights to the calculated similarities according to the types of protocol information, the types of protocol information being different from each other, wherein a smaller weight is given to a type of protocol information, among the plurality of types of protocol information, that is more likely to be dropped in a process of transmitting the response packet to calculate the add-up similarity; and
determining that the malicious website has been changed to the comparative website when the add-up similarity is larger than a predetermined value.