US Patent 12028372 Identifying threat similarity using forensics clustering

Systems, methods and products for identifying “similar” threats by clustering the threats based on corresponding forensics. A corpus of forensic data for a plurality of threat URLs is obtained by a threat protection system, the data including forensic elements corresponding to each threat URLs. For each pair of threat URLs, the corresponding forensic elements are examined to identify shared forensic elements. A similarity score is then generated for the pair of threat URLs based on the comparison of the corresponding forensic elements, including both malicious and non-malicious elements. Based on the similarity score generated for each pair of threat URLs, clusters of the threat URLs are identified, with each cluster including a subset of the plurality of threat URLs. Clusters of URLs similar to a selected URL may be identified by accessing the threat cluster information using a similar-threat search interface or through internal APIs of the threat protection system.