Detecting phishing attempts
DCFirst Claim
Patent Images
1. A classification system for detecting attempted deception in an electronic communication, comprising:
- a client device used to access the electronic communication addressed to a user of the client device;
at least one of a profile and content database; and
at least one server in communication with the client device and the at least one of the profile and content database, the at least one server comprising;
an interface configured to receive the electronic communication; and
a set of one or more processors configured to;
parse a display name associated with the electronic communication;
determine, by at least one classifier component, that the electronic communication appears to have been transmitted on behalf of an authoritative entity by;
computing a similarity distance between the display name and at least a name of the authoritative entity, wherein the name of the authoritative entity is retrieved from the at least one of the profile and the content database, wherein the similarity distance is computed by comparison of items by at least one of;
basing the comparison on at least one of a match between the display name of the electronic communication and the display name of the authoritative entity, and
a match between headers associated with the electronic communication and headers associated with the authoritative entity,
wherein the matches are determined by at least one of;
determining that the compared items are the same, determining that the compared items have a Hamming distance below a threshold value, determining that the compared items have an edit distance below a threshold value, determining that a support vector machine indicates a similarity based on previously trained examples, determining a similarity score based on how many characters were replaced by characters of sufficient similarity and performing at least one normalization followed by a comparison;
determine, by the at least one classifier component, that the electronic communication was not transmitted with authorization from the authoritative entity;
based at least in part on determining that the electronic communication appears to have been transmitted on behalf of the authoritative entity and determining that the electronic communication was not transmitted with authorization from the authoritative entity, perform a security determination including classifying the electronic communication, wherein the classifying includes two or more security classifications including good and bad; and
based at least in part on the security determination resulting in a bad classification, perform an action comprising at least one of erasing the electronic communication, marking up the electronic communication at least in part by adding a warning or an explanation, flagging the electronic communication, forwarding the electronic communication to a third party, placing the electronic communications in the spam folder, and forwarding the electronic communication to a repository; and
a memory coupled to the processor and configured to provide the processor with instructions.
1 Assignment
Litigations
0 Petitions
Accused Products
Abstract
Classifying electronic communications is disclosed. An electronic communication is received. A first likelihood that a potential recipient of the electronic communication would conclude that the communication was transmitted on behalf of an authoritative entity is determined. An assessment of a second likelihood that the received communication was transmitted with authorization from the purported authoritative entity is performed. The electronic communication is classified based at least in part on the first and second liklihoods.
193 Citations
15 Claims
-
1. A classification system for detecting attempted deception in an electronic communication, comprising:
-
a client device used to access the electronic communication addressed to a user of the client device; at least one of a profile and content database; and at least one server in communication with the client device and the at least one of the profile and content database, the at least one server comprising; an interface configured to receive the electronic communication; and a set of one or more processors configured to; parse a display name associated with the electronic communication; determine, by at least one classifier component, that the electronic communication appears to have been transmitted on behalf of an authoritative entity by; computing a similarity distance between the display name and at least a name of the authoritative entity, wherein the name of the authoritative entity is retrieved from the at least one of the profile and the content database, wherein the similarity distance is computed by comparison of items by at least one of;
basing the comparison on at least one of a match between the display name of the electronic communication and the display name of the authoritative entity, and
a match between headers associated with the electronic communication and headers associated with the authoritative entity,
wherein the matches are determined by at least one of;
determining that the compared items are the same, determining that the compared items have a Hamming distance below a threshold value, determining that the compared items have an edit distance below a threshold value, determining that a support vector machine indicates a similarity based on previously trained examples, determining a similarity score based on how many characters were replaced by characters of sufficient similarity and performing at least one normalization followed by a comparison;determine, by the at least one classifier component, that the electronic communication was not transmitted with authorization from the authoritative entity; based at least in part on determining that the electronic communication appears to have been transmitted on behalf of the authoritative entity and determining that the electronic communication was not transmitted with authorization from the authoritative entity, perform a security determination including classifying the electronic communication, wherein the classifying includes two or more security classifications including good and bad; and based at least in part on the security determination resulting in a bad classification, perform an action comprising at least one of erasing the electronic communication, marking up the electronic communication at least in part by adding a warning or an explanation, flagging the electronic communication, forwarding the electronic communication to a third party, placing the electronic communications in the spam folder, and forwarding the electronic communication to a repository; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method for detecting attempted deception in an electronic communication, comprising:
-
receiving, by at least one server, an electronic communication addressed to a user of a client device; parsing, by the at least one server, a display name associated with the electronic communication; determining, by at least one classifier component executing on one or more processors, that the electronic communication appears to have been transmitted on behalf of an authoritative entity by; computing a similarity distance between the display name and at least a name of the authoritative entity, wherein the name of the authoritative entity is retrieved from the at least one of the profile and a content database, wherein the similarity distance is computed by comparison of items by at least one of; basing the comparison on at least one of a match between the display name associated with the electronic communication and the display name of the authoritative entity, and a match between headers associated with the electronic communication and headers associated with the authoritative entity, wherein the matches are determined by at least one of; determining that the compared items are the same, determining that the compared items have a Hamming distance below a threshold value, determining that the compared items have an edit distance below a threshold value, determining that a support vector machine indicates a similarity based on previously trained examples, determining a similarity score based on how many characters were replaced by characters of sufficient similarity and performing at least one normalization followed by a comparison; determine, by the at least one classifier component, that the electronic communication was not transmitted with authorization from the authoritative entity; based at least in part on determining that the electronic communication appears to have been transmitted on behalf of the authoritative entity and determining that the electronic communication was not transmitted with authorization from the authoritative entity, perform a security determination, by the at least one server, including classifying the electronic communication, wherein the classifying includes two or more security classifications including good and bad; and based at least in part on the security determination resulting in a bad classification, perform an action by the at least one server comprising at least one of erasing the electronic communication, marking up the electronic communication at least in part by adding a warning or an explanation, flagging the electronic communication, forwarding the electronic communication to a third party, placing the electronic communications in the spam folder, and forwarding the electronic communication to a repository.
-
-
15. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions executed by at least one server for detecting attempted deception in an electronic communication, the computer instructions for:
-
receiving an electronic communication addressed to a user of a client device; parsing a display name associated with the electronic communication; determining, by at least one classifier component executing on one or more processors, that the electronic communication appears to have been transmitted on behalf of an authoritative entity by; computing a similarity distance between the display name and at least a name of the authoritative entity, wherein the name of the authoritative entity is retrieved from at least one of a profile and a content database, and wherein the similarity distance is computed by comparison of items by at least one of; basing the comparison on at least one of a match between the display name of the electronic communication and the display name of the authoritative entity, and a match between headers associated with the electronic communication and headers associated with the authoritative entity, wherein the matches are determined by at least one of; determining that the compared items are the same, determining that the compared items have a Hamming distance below a threshold value, determining that the compared items have an edit distance below a threshold value, determining that a support vector machine indicates a similarity based on previously trained examples, determining a similarity score based on how many characters were replaced by characters of sufficient similarity and performing at least one normalization followed by a comparison; determining, by the at least one classifier component, that the electronic communication was not transmitted with authorization from the authoritative entity; based at least in part on determining that the electronic communication appears to have been transmitted on behalf of the authoritative entity and determining that the electronic communication was not transmitted with authorization from the authoritative entity, perform a security determination including classifying the electronic communication, wherein the classifying includes two or more security classifications including good and bad; and based at least in part on the security determination resulting in a bad classification, perform an action comprising at least one of erasing the electronic communication, marking up the electronic communication at least in part by adding a warning or an explanation, flagging the electronic communication, forwarding the electronic communication to a third party, placing the electronic communications in the spam folder, and forwarding the electronic communication to a repository.
-
Specification