Methods for preventing cyber intrusions and phishing activity

US 10,193,923 B2
Filed: 07/12/2017
Issued: 01/29/2019
Est. Priority Date: 07/20/2016
Status: Active Grant

First Claim

Patent Images

1. A system for mitigating attacks on a computer network, the system comprising:

a web interface configured to receive target domain name input;

a remote computing server that is configured to generate phishing domain names and that comprises one or more computer processors and a memory storing computer-executable instructions that when executed by the one or more computer processors perform the steps of;

receiving the target domain input, wherein the target domain input comprises a domain name associated with a target entity or target entity data that is useable to generate a plurality of phishing attack domain names;

using the target domain name input to create a plurality of phishing attack domain names, wherein creating the plurality of phishing attack domain names includes;

identifying a plurality of domain name transformation operations that operate to transform the domain name associated with the target entity to one or more attack domain names;

selecting one or more of the identified domain name transformation operations based on features of the domain name; and

applying the selected domain name transformation operations to the domain name;

generating a phishing value for each of the plurality of phishing attack domain names, wherein generating the phishing value includes calculating a likelihood a user would succumb to a phishing attack using a respective phishing attack domain name of the plurality of phishing attack domain names;

setting a phishing value threshold indicating a minimum likelihood of implementing the phishing attack with a created phishing attack domain name;

dynamically changing the phishing value threshold based on a number of phishing attack domain names created;

calculating a visual similarity score for each of the plurality of phishing attack domain names, wherein the visual similarity score indicates a level of resemblance between the target domain name and a phishing attack domain name of the plurality of phishing attack domain names;

selecting a subset of the plurality of phishing attack domain names based on the phishing value threshold and the visual similarity;

implementing one or more computer security protocols that mitigate the likelihood or the probability that the plurality of phishing attack domain names are used in the phishing campaign against the computer network, wherein implementing the one or more computer security protocols includes;

generating one or more e-mail validation policies that restrict e-mail activity from the subset of the plurality of phishing attack domain names to one or more networked devices of the computer network;

updating a security certificate for each of the phishing attack domain names in the subset; and

managing access to each of the phishing attack domain names based on the security certificate.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for mitigating cyber intrusions includes: receiving target domain input, wherein the target domain input comprises a domain name associated with a target entity or target entity data that is useable to generate phishing attack domain names; using the target domain name input to generate the phishing attack domain names, wherein the phishing attack domain names include a plurality of domain names each having a phishing value comprising a likelihood or a probability of being used in a phishing campaign against the digital resources, where the likelihood or the probability satisfies a predetermined phishing value threshold; arranging the phishing attack domain names in a hierarchical order; and implementing one or more digital resources security protocols that mitigates the likelihood or the probability that selected domain names of the phishing attack domain names may be used in the phishing campaign against the digital resources.

50 Citations

View as Search Results

20 Claims

1. A system for mitigating attacks on a computer network, the system comprising:
- a web interface configured to receive target domain name input;
  
  a remote computing server that is configured to generate phishing domain names and that comprises one or more computer processors and a memory storing computer-executable instructions that when executed by the one or more computer processors perform the steps of;
  
  receiving the target domain input, wherein the target domain input comprises a domain name associated with a target entity or target entity data that is useable to generate a plurality of phishing attack domain names;
  
  using the target domain name input to create a plurality of phishing attack domain names, wherein creating the plurality of phishing attack domain names includes;
  
  identifying a plurality of domain name transformation operations that operate to transform the domain name associated with the target entity to one or more attack domain names;
  
  selecting one or more of the identified domain name transformation operations based on features of the domain name; and
  
  applying the selected domain name transformation operations to the domain name;
  
  generating a phishing value for each of the plurality of phishing attack domain names, wherein generating the phishing value includes calculating a likelihood a user would succumb to a phishing attack using a respective phishing attack domain name of the plurality of phishing attack domain names;
  
  setting a phishing value threshold indicating a minimum likelihood of implementing the phishing attack with a created phishing attack domain name;
  
  dynamically changing the phishing value threshold based on a number of phishing attack domain names created;
  
  calculating a visual similarity score for each of the plurality of phishing attack domain names, wherein the visual similarity score indicates a level of resemblance between the target domain name and a phishing attack domain name of the plurality of phishing attack domain names;
  
  selecting a subset of the plurality of phishing attack domain names based on the phishing value threshold and the visual similarity;
  
  implementing one or more computer security protocols that mitigate the likelihood or the probability that the plurality of phishing attack domain names are used in the phishing campaign against the computer network, wherein implementing the one or more computer security protocols includes;
  
  generating one or more e-mail validation policies that restrict e-mail activity from the subset of the plurality of phishing attack domain names to one or more networked devices of the computer network;
  
  updating a security certificate for each of the phishing attack domain names in the subset; and
  
  managing access to each of the phishing attack domain names based on the security certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the remote computing server is further configured to generate the visual similarity scores for the plurality of phishing attack domain names, wherein generating the visual similarity scores includes:
    - comparing each of the plurality of phishing attack domain names to the domain name of the target entity;
      
      using the visual similarity to rank the plurality of phishing attack domain names with respect to each other;
      
      wherein the remote computing server further implements the one or more computer security protocols by (i) automatically selecting a portion of the plurality of phishing attack domain names based on the visual similarity scores and (ii) restricting a capability of a malicious actor to use the portion of the plurality of phishing attack domain names in the phishing campaign against the computer network.
  - 3. The system of claim 1, wherein the remote computing server is further:
    - ranks each of the plurality of phishing attack domain names based on calculated fit scores, wherein the fit scores indicate a probability or a likelihood of successfully implementing a phishing attack on the target computer network using one of the plurality of phishing attach domain names;
      
      automatically selects at least a phishing attack domain name of the plurality of phishing attack domain names having a highest rank in the hierarchical order; and
      
      implements one or more computer security protocols based on the selection.
  - 4. The system of claim 3, wherein implementing the one or more computer security protocols includes implementing a digital lockdown of the plurality of phishing attack domain names, wherein the digital lockdown includes restricting digital access and use of the plurality of phishing attack domain names by entities other than the target entity.
  - 5. The system of claim 1, further comprising:
    - a pseudo domain name database, the pseudo domain name database includes characters, each of the characters being electronically associated with a visually similar character or visually similar characters useable in a phishing attack domain name generation process, wherein the web server is in operable communication with the pseudo domain name database.
  - 6. The system according to claim 1, whereina selected domain name transformation operation comprises a homoglyphic domain transformation operation that modifies a second-level domain name portion of the domain name associated with the target entity.
  - 7. The system according to claim 1, whereinimplementing the one or more security protocols includes registering each of the phishing attack domain names in the subset.

8. A method for preventing a cyber intrusion of digital resources of a target entity, the method comprising:
- at a web computing server;
  
  receiving target domain input, wherein the target domain input comprises a domain name associated with a target entity or target entity data that is useable to create a plurality of phishing attack domain names;
  
  using the target domain name input to create the plurality of phishing attack domain names, wherein creating the plurality of phishing attack domain names includes;
  
  identifying a plurality of domain name transformation operations that operate to transform the domain name associated with the target entity to one or more attack domain names;
  
  selecting one or more of the identified domain name transformation operations based on features of the domain name; and
  
  applying the selected domain name transformation operations to the domain name;
  
  generating a phishing value for each of the plurality of phishing attack domain names, wherein generating the phishing value includes calculating a likelihood a user would succumb to a phishing attack using a respective phishing attack domain name of the plurality of phishing attack domain names;
  
  setting a phishing value threshold indicating a minimum likelihood of implementing the phishing attack with a created phishing attack domain name;
  
  dynamically changing the phishing value threshold based on a number of phishing attack domain names created;
  
  calculating a visual similarity score for each of the plurality of phishing attack domain names, wherein the visual similarity score indicates a level of resemblance between the target domain name and a phishing attack domain name of the plurality of phishing attack domain names;
  
  selecting a subset of the plurality of phishing attack domain names based on the phishing value threshold and the visual similarity;
  
  implementing one or more digital resources security protocols that mitigates the likelihood or the probability that selected domain names of the plurality of phishing attack domain names may be used in the phishing campaign against the digital resources, wherein implementing the one or more computer security protocols includes;
  
  generating one or more e-mail validation policies that restrict e-mail activity from the subset of the plurality of phishing attack domain names to one or more networked devices of the computer network;
  
  updating a security certificate for each of the phishing attack domain names in the subset; and
  
  managing access to each of the phishing attack domain names based on the security certificate.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 9. The method of claim 8, wherein the predetermined phishing value threshold defines a minimum likelihood or a minimum probability of successfully implementing a phishing attack on one or more digital resources.
  - 10. The method of claim 9, wherein any of the plurality of phishing attack domain names having the likelihood or the probability of successfully being used in the phishing campaign that satisfies or exceeds the predetermined phishing value is automatically populated to a list or a table of phishing domain name candidates, andwherein any of the plurality of phishing attack domain names having the likelihood or the probability of successfully being used in the phishing campaign that does not satisfy or exceed the predetermined phishing value is not included in the list or the table of phishing domain name candidates.
  - 11. The method of claim 8, at the web server further comprising:
    - identifying phishing attack domain name generation parameters, wherein the phishing attack domain name parameters include one or more of an amount of attack domain names to be generated, a selection of one or more types of domain name modification operations to be performed in the generating the phishing attack domain names, a number of iterations of generated attack domain names, and an identification of one or more phishing attack domain name generation input data sources.
  - 12. The method of claim 11, at the web server further comprising:
    - applying the one or more types of domain name modification operations that are statistically common domain name variation types used by cyber attackers.
  - 13. The method of claim 8, wherein further at the web computing server:
    - using the target domain name input to identify additional target entity data relating to the target entity; and
      
      in response to identifying the additional target entity data, collecting the additional target entity data to be used as input in generating the plurality of phishing attack domain names.
  - 14. The method of claim 8, wherein implementing the one or more digital resources security protocols includes implementing a digital lockdown of the plurality of phishing attack domain names, wherein the digital lockdown includes restricting digital access and use of the plurality of phishing attack domain names by entities other than the target entity.
  - 15. The method of claim 8, further comprises configuring the web computing server to:
    - rank each of the plurality of phishing attack domain names based the phishing value of the respective phishing attack domain name;
      
      automatically select one or more of the plurality of phishing attack domain names; and
      
      wherein implementing the one or more digital resources security protocols is implemented for the selected one or more of the plurality of phishing attack domain names.
  - 16. The method of claim 8, further comprising configuring the sever to perform modification operations to the target domain name by one or a combination of homoglyphic modification, bitsquatting modification, omission modification, replacement modification, transposition modification, singularizing, pluralization, punctuation modification, and appending modification.
  - 17. The method of claim 8, wherein the plurality of phishing attack domain names are look-alike domain names with respect to the target domain name, such that when the plurality of phishing attack domain names are compared to the target domain name, there are visual similarities between each of the plurality of phishing attack domain names and the target domain name.
  - 18. The method of claim 15, wherein the plurality of phishing attack domain names are generated according to a selection of one or of a combination of domain name transformation processes including a homoglyph transformation process, a TLD alternation/modification process, generic or service-specific prefix/suffix augmentation process, character repositioning and spacing, character transposition process, and character deletion process.
  - 19. The system according to claim 17, wherein:
    - (i) the web server is in operable communication with the pseudo domain name database,(ii) the web server also functions as a target domain name analysis unit that analyzes one or more features and attributes of the identified the target domain name to identify each of the characters in at least a second-level domain name portion and a top-level domain name portion of each of the target domain name,(iii) when the web server function as a phishing attack domain name generation unit, the web server identifies one or more characters in the pseudo domain name database to substitute in a place of one or more characters in at least one of the target domain name based on the analysis at the target domain name analysis unit, and(iv) the web server functioning as the phishing attack domain name generation unit generates at least one of the plurality of phishing attack domain names by substituting one or more characters from the pseudo domain name database into the target domain name.
  - 20. The system of claim 18, wherein the target domain name analysis unit also compares each character in the second-level domain name portion of the at least one of the target domain name to the characters in the pseudo domain name database to determine whether any of the characters in the second-level domain name portion has a corresponding visually similar character or characters in the pseudo domain name database, andwherein the target domain name analysis unit communicates to the phishing attack domain name generation unit each of the characters in the second-level domain name portion having a corresponding visually similar character or characters in the pseudo domain name database and an indication of which visually similar character or characters in the pseudo domain name database that corresponds to each character of the second-level domain name portion of the target domain name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Wright, Jordan, Oberheide, Jon
Primary Examiner(s)
Turchen, James R

Application Number

US15/648,361
Publication Number

US 20180027013A1
Time in Patent Office

566 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 2221/2119   Authenticating web pages, e...

H04L 61/301   Name conversion

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

Methods for preventing cyber intrusions and phishing activity

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for preventing cyber intrusions and phishing activity

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links