Detecting phishing attempts

US 10,277,628 B1
Filed: 09/16/2014
Issued: 04/30/2019
Est. Priority Date: 09/16/2013
Status: Expired due to Fees

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A classification system for detecting attempted deception in an electronic communication, comprising:

a client device used to access the electronic communication addressed to a user of the client device;

at least one of a profile and content database; and

at least one server in communication with the client device and the at least one of the profile and content database, the at least one server comprising;

an interface configured to receive the electronic communication; and

a set of one or more processors configured to;

parse a display name associated with the electronic communication;

determine, by at least one classifier component, that the electronic communication appears to have been transmitted on behalf of an authoritative entity by;

computing a similarity distance between the display name and at least a name of the authoritative entity, wherein the name of the authoritative entity is retrieved from the at least one of the profile and the content database, wherein the similarity distance is computed by comparison of items by at least one of;

basing the comparison on at least one of a match between the display name of the electronic communication and the display name of the authoritative entity, and

a match between headers associated with the electronic communication and headers associated with the authoritative entity,

wherein the matches are determined by at least one of;

determining that the compared items are the same, determining that the compared items have a Hamming distance below a threshold value, determining that the compared items have an edit distance below a threshold value, determining that a support vector machine indicates a similarity based on previously trained examples, determining a similarity score based on how many characters were replaced by characters of sufficient similarity and performing at least one normalization followed by a comparison;

determine, by the at least one classifier component, that the electronic communication was not transmitted with authorization from the authoritative entity;

based at least in part on determining that the electronic communication appears to have been transmitted on behalf of the authoritative entity and determining that the electronic communication was not transmitted with authorization from the authoritative entity, perform a security determination including classifying the electronic communication, wherein the classifying includes two or more security classifications including good and bad; and

based at least in part on the security determination resulting in a bad classification, perform an action comprising at least one of erasing the electronic communication, marking up the electronic communication at least in part by adding a warning or an explanation, flagging the electronic communication, forwarding the electronic communication to a third party, placing the electronic communications in the spam folder, and forwarding the electronic communication to a repository; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

Classifying electronic communications is disclosed. An electronic communication is received. A first likelihood that a potential recipient of the electronic communication would conclude that the communication was transmitted on behalf of an authoritative entity is determined. An assessment of a second likelihood that the received communication was transmitted with authorization from the purported authoritative entity is performed. The electronic communication is classified based at least in part on the first and second liklihoods.

193 Citations

15 Claims

1. A classification system for detecting attempted deception in an electronic communication, comprising:
- a client device used to access the electronic communication addressed to a user of the client device;
  
  at least one of a profile and content database; and
  
  at least one server in communication with the client device and the at least one of the profile and content database, the at least one server comprising;
  
  an interface configured to receive the electronic communication; and
  
  a set of one or more processors configured to;
  
  parse a display name associated with the electronic communication;
  
  determine, by at least one classifier component, that the electronic communication appears to have been transmitted on behalf of an authoritative entity by;
  
  computing a similarity distance between the display name and at least a name of the authoritative entity, wherein the name of the authoritative entity is retrieved from the at least one of the profile and the content database, wherein the similarity distance is computed by comparison of items by at least one of;
  
  basing the comparison on at least one of a match between the display name of the electronic communication and the display name of the authoritative entity, and
  
  a match between headers associated with the electronic communication and headers associated with the authoritative entity,
  
  wherein the matches are determined by at least one of;
  
  determining that the compared items are the same, determining that the compared items have a Hamming distance below a threshold value, determining that the compared items have an edit distance below a threshold value, determining that a support vector machine indicates a similarity based on previously trained examples, determining a similarity score based on how many characters were replaced by characters of sufficient similarity and performing at least one normalization followed by a comparison;
  
  determine, by the at least one classifier component, that the electronic communication was not transmitted with authorization from the authoritative entity;
  
  based at least in part on determining that the electronic communication appears to have been transmitted on behalf of the authoritative entity and determining that the electronic communication was not transmitted with authorization from the authoritative entity, perform a security determination including classifying the electronic communication, wherein the classifying includes two or more security classifications including good and bad; and
  
  based at least in part on the security determination resulting in a bad classification, perform an action comprising at least one of erasing the electronic communication, marking up the electronic communication at least in part by adding a warning or an explanation, flagging the electronic communication, forwarding the electronic communication to a third party, placing the electronic communications in the spam folder, and forwarding the electronic communication to a repository; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1 wherein determining that the electronic communication appears to have been transmitted on behalf of the authoritative entity includes evaluating text present in a body portion of the electronic communication.
  - 3. The system of claim 2 wherein determining that the electronic communication appears to have been transmitted on behalf of the authoritative entity includes performing one or more pre-processing operations on the text, including a normalization.
  - 4. The system of claim 2 wherein evaluating the text includes evaluating the text using a collection of terms.
  - 5. The system of claim 2 wherein evaluating the text includes performing an equivalence analysis.
  - 6. The system of claim 2 wherein determining that the electronic communication appears to have been transmitted on behalf of the authoritative entity includes evaluating one or more images.
  - 7. The system of claim 6 wherein evaluating the one or more images includes performing optical character recognition on the one or more images.
  - 8. The system of claim 6 wherein evaluating the one or more images includes performing edge detection analysis.
  - 9. The system of claim 6 wherein evaluating the one or more images includes performing color pattern analysis.
  - 10. The system of claim 6 wherein evaluating the one or more images includes evaluating one or more images linked to the electronic communication.
  - 11. The system of claim 2 wherein determining whether the electronic communication appears to have been transmitted on behalf of the authoritative entity includes evaluating an email address included in the electronic communication.
  - 12. The system of claim 1 wherein determining that the electronic communication was not transmitted with authorization from the authoritative entity includes determining whether the electronic communication was authenticated by the authoritative entity.
  - 13. The system of claim 1 wherein determining that the electronic communication was not transmitted with authorization from the authoritative entity includes evaluating a delivery path associated with the electronic communication.

14. A method for detecting attempted deception in an electronic communication, comprising:
- receiving, by at least one server, an electronic communication addressed to a user of a client device;
  
  parsing, by the at least one server, a display name associated with the electronic communication;
  
  determining, by at least one classifier component executing on one or more processors, that the electronic communication appears to have been transmitted on behalf of an authoritative entity by;
  
  computing a similarity distance between the display name and at least a name of the authoritative entity, wherein the name of the authoritative entity is retrieved from the at least one of the profile and a content database, wherein the similarity distance is computed by comparison of items by at least one of;
  
  basing the comparison on at least one of a match between the display name associated with the electronic communication and the display name of the authoritative entity, anda match between headers associated with the electronic communication and headers associated with the authoritative entity,wherein the matches are determined by at least one of;
  
  determining that the compared items are the same, determining that the compared items have a Hamming distance below a threshold value, determining that the compared items have an edit distance below a threshold value, determining that a support vector machine indicates a similarity based on previously trained examples, determining a similarity score based on how many characters were replaced by characters of sufficient similarity and performing at least one normalization followed by a comparison;
  
  determine, by the at least one classifier component, that the electronic communication was not transmitted with authorization from the authoritative entity;
  
  based at least in part on determining that the electronic communication appears to have been transmitted on behalf of the authoritative entity and determining that the electronic communication was not transmitted with authorization from the authoritative entity, perform a security determination, by the at least one server, including classifying the electronic communication, wherein the classifying includes two or more security classifications including good and bad; and
  
  based at least in part on the security determination resulting in a bad classification, perform an action by the at least one server comprising at least one of erasing the electronic communication, marking up the electronic communication at least in part by adding a warning or an explanation, flagging the electronic communication, forwarding the electronic communication to a third party, placing the electronic communications in the spam folder, and forwarding the electronic communication to a repository.

15. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions executed by at least one server for detecting attempted deception in an electronic communication, the computer instructions for:
- receiving an electronic communication addressed to a user of a client device;
  
  parsing a display name associated with the electronic communication;
  
  determining, by at least one classifier component executing on one or more processors, that the electronic communication appears to have been transmitted on behalf of an authoritative entity by;
  
  computing a similarity distance between the display name and at least a name of the authoritative entity, wherein the name of the authoritative entity is retrieved from at least one of a profile and a content database, and wherein the similarity distance is computed by comparison of items by at least one of;
  
  basing the comparison on at least one of a match between the display name of the electronic communication and the display name of the authoritative entity, anda match between headers associated with the electronic communication and headers associated with the authoritative entity,wherein the matches are determined by at least one of;
  
  determining that the compared items are the same, determining that the compared items have a Hamming distance below a threshold value, determining that the compared items have an edit distance below a threshold value, determining that a support vector machine indicates a similarity based on previously trained examples, determining a similarity score based on how many characters were replaced by characters of sufficient similarity and performing at least one normalization followed by a comparison;
  
  determining, by the at least one classifier component, that the electronic communication was not transmitted with authorization from the authoritative entity;
  
  based at least in part on determining that the electronic communication appears to have been transmitted on behalf of the authoritative entity and determining that the electronic communication was not transmitted with authorization from the authoritative entity, perform a security determination including classifying the electronic communication, wherein the classifying includes two or more security classifications including good and bad; and
  
  based at least in part on the security determination resulting in a bad classification, perform an action comprising at least one of erasing the electronic communication, marking up the electronic communication at least in part by adding a warning or an explanation, flagging the electronic communication, forwarding the electronic communication to a third party, placing the electronic communications in the spam folder, and forwarding the electronic communication to a repository.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
ZapFraud, Inc. (Bjorn Markus Jakobsson)
Original Assignee
ZapFraud, Inc. (Bjorn Markus Jakobsson)
Inventors
Jakobsson, Bjorn Markus
Primary Examiner(s)
Doan, Trang T

Application Number

US14/487,989
Time in Patent Office

1,687 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 51/00   User-to-user messaging in p...

H04L 51/212   using filtering or selectiv...

H04L 51/216   Handling conversation histo...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

Detecting phishing attempts

First Claim

1 Assignment

Litigations

0 Petitions

Accused Products

Abstract

193 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Detecting phishing attempts

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

193 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others