Detection of email spoofing and spear phishing attacks

US 10,284,579 B2
Filed: 03/22/2017
Issued: 05/07/2019
Est. Priority Date: 03/22/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of detecting an email spear phishing attack, comprising:

generating a contact model of a sender of emails;

determining, by a hardware processor, a statistical dispersion of the generated contact model, the statistical dispersion of the contact model being indicative of a spread of a distribution of data in the generated model;

receiving, over a computer network, an email from the sender;

when the determined statistical dispersion is lower than a dispersion threshold;

evaluating the received email in the processor against a plurality of conditions associated with spear phishing attacks to generate a features vector, the features vector comprising a plurality of binary values and a plurality of dispersion values between 0 and 1;

using at least the generated features vector and the generated contact model to classify the received email as a likely legitimate email or as a likely malicious email spear phishing attack; and

notifying a recipient of the email when the received email is classified as a likely malicious email spear phishing attack.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method of detecting an email spoofing and spear phishing attack may comprise generating a contact model of a sender of emails; determining, by a hardware processor, a statistical dispersion of the generated contact model that is indicative of a spread of a distribution of data in the generated model and receiving, over a computer network, an email from the sender. If the determined statistical dispersion is lower than a dispersion threshold, the received email may be evaluated in the processor against a plurality of conditions associated with email spoofing and spear phishing attacks, using the generated contact model, to generate a features vector that is constituted of a plurality of binary values and a plurality of dispersion values between 0 and 1, and using at least the generated features vector to classify with a supervised learning algorithm the received email as a likely legitimate email or as a likely malicious email spear phishing attack; and notifying a recipient of the email when the received email is classified as a likely malicious email spear phishing attack.

22 Citations

View as Search Results

20 Claims

1. A computer-implemented method of detecting an email spear phishing attack, comprising:
- generating a contact model of a sender of emails;
  
  determining, by a hardware processor, a statistical dispersion of the generated contact model, the statistical dispersion of the contact model being indicative of a spread of a distribution of data in the generated model;
  
  receiving, over a computer network, an email from the sender;
  
  when the determined statistical dispersion is lower than a dispersion threshold;
  
  evaluating the received email in the processor against a plurality of conditions associated with spear phishing attacks to generate a features vector, the features vector comprising a plurality of binary values and a plurality of dispersion values between 0 and 1;
  
  using at least the generated features vector and the generated contact model to classify the received email as a likely legitimate email or as a likely malicious email spear phishing attack; and
  
  notifying a recipient of the email when the received email is classified as a likely malicious email spear phishing attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein the statistical dispersion of the contact model comprises an average of the plurality of dispersion values.
  - 3. The computer-implemented method of claim 1, wherein the generated contact model is not used to classify the received email as likely legitimate or likely malicious if the determined statistical dispersion is greater than or equal to the dispersion threshold.
  - 4. The computer-implemented method of claim 1, wherein generating the contact model comprises building the contact model using received emails from the sender during a learning phase over a period of time and thereafter transitioning the contact model to a protection phase during which the built contact model is used to classify the received email as likely legitimate or likely malicious.
  - 5. The computer-implemented method of claim 1, further comprising updating the contact model using a sliding time window by:
    - adding thereto data from recent received emails from the sender of the email anddeleting data from emails older than a predetermined period of time.
  - 6. The computer-implemented method of claim 1, further comprising updating the contact model using data from emails received from the sender at are determined to be true negative (TN) email phishing attacks and false positives (FP) email phishing attacks.
  - 7. The computer-implemented method of claim 1, wherein generating the contact model comprises:
    - extracting an identification of an email application used to send the received email;
      
      simplifying the extracted identification; and
      
      storing the extracted and simplified identification in the contact model.
  - 8. The computer-implemented method of claim 7, wherein simplifying the extracted identification comprises at least stripping a software version number from the extracted identification of the email application used to send the received email.
  - 9. The computer-implemented method of claim 1, wherein the features vector comprises at least one binary value indicative that:
    - the internet protocol (IP) address that sent the received email belongs to a web hosting provider;
      
      the email address in a Reply-To header of the received email does not match the email address in the From header of the received email;
      
      the email address in a Return-Path header of the received email does not match the email address in the From header of the received email;
      
      there is one recipient in To header and no recipient in Cc and Bcc headers of the received email;
      
      the Subject header of the received email contains a keyword intended to create a sense of urgency;
      
      the received email contains language indicative of topics that are deemed to be of a suspicious nature; and
      
      the received email contains at least one of an email address, a telephone number, a URL and an attached dynamic file.

10. A computing device comprising:
- at least one processor;
  
  at least one data storage device coupled to the at least one processor;
  
  a network interface coupled to the at least one processor and to a computer network;
  
  a plurality of processes spawned by said at least one processor, the processes including processing logic for;
  
  generating a contact model of a sender of emails;
  
  determining, by a hardware processor, a statistical dispersion of the generated contact model, the statistical dispersion of the contact model being indicative of a spread of a distribution of data in the generated model;
  
  receiving, over a computer network, an email from the sender;
  
  when the determined statistical dispersion lower than a dispersion threshold;
  
  evaluating the received email in the processor against a plurality of conditions associated with spear phishing attacks to generate a features vector, the features vector comprising a plurality of binary values and a plurality of dispersion values between 0 and 1;
  
  using at least the generated features vector and the generated contact model to classify the received email as a likely legitimate email or as a likely malicious email spear phishing attack; and
  
  notifying a recipient of the email when the received email is classified as a likely malicious email spear phishing attack.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The computing device of claim 10, wherein the statistical dispersion of the contact model comprises an average of the plurality of dispersion values.
  - 12. The computing device of claim 10, wherein the generated contact model is not used to classify the received email as likely legitimate or likely malicious if the determined statistical dispersion is not at least equal to the dispersion threshold.
  - 13. The computing device of claim 10, wherein the processing logic for generating the contact model comprises processing logic for building the contact model using received emails from the sender during a learning phase over a period of time and thereafter transitioning the contact model to a protection phase during which the built contact model is used to classify the received email as likely legitimate or likely malicious.
  - 14. The computing device of claim 10, further comprising processing logic for updating the contact model using a sliding time window by:
    - adding thereto data from recent received emails from the sender of the email anddeleting data from emails older than a predetermined period of time.
  - 15. The computing device of claim 10, further comprising processing logic for updating the contact model using data from emails received from the sender at are determined to be true negative (TN) email phishing attacks and false positives (FP) email phishing attacks.
  - 16. The computing device of claim 10, wherein the processing logic for generating the contact model comprises processing logic for:
    - extracting an identification of an email application used to send the received email;
      
      simplifying the extracted identification; and
      
      storing the extracted and simplified identification in the contact model.
  - 17. The computing device of claim 16, wherein the processing logic for simplifying the extracted identification comprises at least stripping a software version number from the extracted identification of the email application used to send the received email.
  - 18. The computing device of claim 10, wherein the features vector comprises at least one binary value indicative that:
    - the internet protocol (IP) address that sent the received email belongs to a web hosting provider;
      
      the email address in a Reply-To header of the received email does not match an email address in the From header of the received email;
      
      the email address in a Return-Path header of the received email does not match an email address in the From header of the received email;
      
      there is one recipient in To header and no recipient in Cc and Bcc headers of the received email;
      
      the Subject header of the received email contains a keyword intended to create a sense of urgency;
      
      the received email contains language indicative of topics that are deemed to be of a suspicious nature; and
      
      the received email contains at least one of an email address, a telephone number, a URL and an attached dynamic file.
  - 19. The computing device of claim 10, configured as a local email gateway coupled to the computer network.
  - 20. The computing device of claim 10, configured as a remote server accessible over the computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VADE USA Incorporated
Original Assignee
VADE Secure Incorporated
Inventors
Goutal, Sebastien
Primary Examiner(s)
Zaidi, Syed A

Application Number

US15/466,588
Publication Number

US 20180278627A1
Time in Patent Office

776 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 51/00   User-to-user messaging in p...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

Detection of email spoofing and spear phishing attacks

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of email spoofing and spear phishing attacks

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links