Systems and methods of detecting email-based attacks through machine learning

US 10,397,272 B1
Filed: 10/23/2018
Issued: 08/27/2019
Est. Priority Date: 05/10/2018
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one processor; and

at least one memory having stored thereon computer program code that, when executed by the at least one processor, controls the at least one processor to;

receive an email addressed to a user;

separate the email into a plurality of email components, the email components comprising a first link;

analyze, using machine-learning techniques, each of the plurality of email components, by;

virtually navigating to an end-point of the first link;

tracking re-routing by the first link between a starting point and the end-point;

receiving an automatic download triggered by the virtual navigation;

isolating the automatic download;

analyzing the automatic download; and

analyzing a content of the end-point; and

provide the analysis of each of the plurality of email components into a stacked ensemble analyzer; and

based on an output of the stacked ensemble analyzer, determine that the email is potentially malicious.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system including at least one processor; and at least one memory having stored thereon computer program code that, when executed by the at least one processor, controls the at least one processor to: receive an email addressed to a user; separate the email into a plurality of email components; analyze, using respective machine-learning techniques, each of the plurality of email components; feed the analysis of each of the plurality of email components into a stacked ensemble analyzer; and based on an output of the stacked ensemble analyzer, determine whether the email is malicious.

47 Citations

View as Search Results

19 Claims

1. A system comprising:
- at least one processor; and
  
  at least one memory having stored thereon computer program code that, when executed by the at least one processor, controls the at least one processor to;
  
  receive an email addressed to a user;
  
  separate the email into a plurality of email components, the email components comprising a first link;
  
  analyze, using machine-learning techniques, each of the plurality of email components, by;
  
  virtually navigating to an end-point of the first link;
  
  tracking re-routing by the first link between a starting point and the end-point;
  
  receiving an automatic download triggered by the virtual navigation;
  
  isolating the automatic download;
  
  analyzing the automatic download; and
  
  analyzing a content of the end-point; and
  
  provide the analysis of each of the plurality of email components into a stacked ensemble analyzer; and
  
  based on an output of the stacked ensemble analyzer, determine that the email is potentially malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the stacked ensemble analyzer comprises a nonparametric model.
  - 3. The system of claim 1, wherein the plurality of email components comprises one or more of an email header, an email body, a subject line, or one or more attachments.
  - 4. The system of claim 3, wherein the computer program code, when executed by the at least one processor, controls the at least one processor to analyze at least one of the email body and the subject line using term frequency-inverse document frequency (TF-IDF) logistic regression trained with an email corpus.
  - 5. The system of claim 4, wherein the computer program code, when executed by the at least one processor, controls the at least one processor to analyze the subject line to determine an implied urgency of the subject line.
  - 6. The system of claim 3, wherein the computer program code, when executed by the at least one processor, controls the at least one processor to analyze the e-mail header using a random decision forest classifier.
  - 7. The system of claim 3, wherein the computer program code, when executed by the at least one processor, controls the at least one processor to analyze the email header by analyzing a path of delivery of the email.
  - 8. The system of claim 1, wherein the computer program code, when executed by the at least one processor, controls the at least one processor to compare a universal resource locator (URL) of the first link with a domain of a sender of the email.
  - 9. The system of claim 1, wherein the stacked ensemble analyzer comprises at least one of random-forest classifier and a gradient boosting machine.
  - 10. The system of claim 1, wherein the computer program code, when executed by the at least one processor, further controls the at least one processor to isolate the potentially malicious email from a user account of the user.
  - 11. The system of claim 1, wherein the system provides at least one of gateway filtering and second-level malicious email detection.

12. A system comprising:
- at least one processor; and
  
  at least one memory having stored thereon computer program code that, when executed by the at least one processor, controls the at least one processor to;
  
  receive an email addressed to a user;
  
  separate the email into a plurality of email components;
  
  analyze each of the plurality of email components using machine-learning techniques;
  
  provide the analysis of each of the plurality of email components into a stacked ensemble analyzer;
  
  determine that the email is potentially malicious based on an output of the stacked ensemble analyzer;
  
  output, to a systems operations console, the email;
  
  receive, from the systems operations console, an external indication that the email is malicious; and
  
  update the machine-learning techniques, based on the comparison of the external indication from the systems operations console and the determination that the email is potentially malicious from the ensemble analyzer, by;
  
  updating a training corpus of emails to include the email; and
  
  incrementally retraining the machine-learning techniques based on the updated training corpus.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the computer program code, when executed by the at least one processor, further controls the at least one processor to isolate the malicious email from a user account of the user.
  - 14. The system of claim 12, wherein the system provides at least one of gateway filtering and second-level malicious email detection.
  - 15. The system of claim 12, wherein the computer program code, when executed by the at least one processor, further controls the at least one processor to update the stacked ensemble analyzer with the email analysis, based on the comparison of the external indication and the determination that the email is potentially malicious from the stacked ensemble analyzer.

16. A system comprising:
- at least one processor; and
  
  at least one memory having stored thereon computer program code that, when executed by the at least one processor, controls the at least one processor to;
  
  receive an email addressed to a user;
  
  separate the email into a plurality of email components;
  
  analyze each of the plurality of email components, using machine-learning techniques;
  
  provide the analysis of each of the plurality of email components into a stacked ensemble analyzer;
  
  determine that the email is malicious, based on an output of the stacked ensemble analyzer;
  
  generate a sanitized version of the malicious email, based on the determination that the email is malicious; and
  
  replace, within a user account of the user, a copy of the malicious email with the generated sanitized version of the email.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein the plurality of components comprises at least one from among an email header, an email body, a subject line, one or more links, and one or more attachments.
  - 18. The system of claim 16, wherein the computer program code, when executed by the at least one processor, further controls the at least one processor to isolate the malicious email from a user account of the user based on the determination that the email is malicious.
  - 19. The system of claim 16, wherein the system provides at least one of gateway filtering and second-level malicious email detection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Capital One Services LLC (Capital One Financial Corporation)
Original Assignee
Capital One Services LLC (Capital One Financial Corporation)
Inventors
Bruss, Christopher Bayan, Fletcher, Stephen, Yu, Lei, Kressel, Jakob
Primary Examiner(s)
Shayanfar, Ali

Application Number

US16/168,055
Time in Patent Office

308 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 18/214   Generating training pattern...

G06F 18/241   relating to the classificat...

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/568   eliminating virus, restorin...

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 3/044   Recurrent networks, e.g. Ho...

G06N 5/01   Dynamic search techniques; ...

G06N 7/01   Probabilistic graphical mod...

G06V 30/19173   Classification techniques

H04L 51/08   Annexed information, e.g. a...

H04L 51/18   Commands or executable codes

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1483   service impersonation, e.g....

Systems and methods of detecting email-based attacks through machine learning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods of detecting email-based attacks through machine learning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links