Systems, methods, user interfaces, and computer-readable media for investigating potential malicious communications
First Claim
1. A system comprising:
- one or more computer readable storage mediums having program instructions embodied thereon; and
one or more hardware processors configured to execute the program instructions to cause the system to;
transmit data for displaying a dynamic user interface indicating a plurality of priority tiers of different priorities for assessing if emails are undesirable;
in response to receiving a selection of a first priority tier of the plurality of priority tiers, update the dynamic user interface to indicate a plurality of clusters of emails associated with the first priority tier including at least a first cluster of emails, wherein a first plurality of emails are included in the first cluster of emails based at least in part on having a first feature in common;
in response to receiving a selection of at least the first cluster of emails of the plurality of clusters of email, update the dynamic user interface to display;
the first plurality of emails that are included in the first cluster of emails; and
a second email included in the first cluster of emails, wherein the second email does not include the first feature that is common to the first plurality of emails, and wherein the second email shares a second feature in common with at least one email from the first plurality of emails;
in response to receiving one or more user interactions with the dynamic user interface, update the dynamic user interface to display;
a plurality of uniform resource locators (URLs), wherein each URL in the plurality of URLs is embedded in one or more of the emails of the first cluster of emails included in the first priority tier;
information about a plurality of users, wherein each user of the plurality of users accessed one or more of the plurality of URLs embedded in one or more emails of the first cluster of emails included in the first priority tier;
transmit data for displaying, in the dynamic user interface, a menu of labels selectable to associate a status or maliciousness with a cluster; and
in response to receiving a selection of a first label from the menu of labels, associate the first label with the first cluster of emails including the first plurality of emails and the second email.
8 Assignments
0 Petitions
Accused Products
Abstract
A data analysis system receives potentially undesirable electronic communications and automatically groups them in computationally-efficient data clusters, automatically analyze those data clusters, automatically tags and groups those data clusters, and provides results of the automated analysis and grouping in an optimized way to an analyst. The automated analysis of the data clusters may include an automated application of various criteria or rules so as to generate an ordered display of the groups of related data clusters such that the analyst may quickly and efficiently evaluate the groups of data clusters. In particular, the groups of data clusters may be dynamically re-grouped and/or filtered in an interactive user interface so as to enable an analyst to quickly navigate among information associated with various groups of data clusters and efficiently evaluate those data clusters.
794 Citations
11 Claims
-
1. A system comprising:
-
one or more computer readable storage mediums having program instructions embodied thereon; and one or more hardware processors configured to execute the program instructions to cause the system to; transmit data for displaying a dynamic user interface indicating a plurality of priority tiers of different priorities for assessing if emails are undesirable; in response to receiving a selection of a first priority tier of the plurality of priority tiers, update the dynamic user interface to indicate a plurality of clusters of emails associated with the first priority tier including at least a first cluster of emails, wherein a first plurality of emails are included in the first cluster of emails based at least in part on having a first feature in common; in response to receiving a selection of at least the first cluster of emails of the plurality of clusters of email, update the dynamic user interface to display; the first plurality of emails that are included in the first cluster of emails; and a second email included in the first cluster of emails, wherein the second email does not include the first feature that is common to the first plurality of emails, and wherein the second email shares a second feature in common with at least one email from the first plurality of emails; in response to receiving one or more user interactions with the dynamic user interface, update the dynamic user interface to display; a plurality of uniform resource locators (URLs), wherein each URL in the plurality of URLs is embedded in one or more of the emails of the first cluster of emails included in the first priority tier; information about a plurality of users, wherein each user of the plurality of users accessed one or more of the plurality of URLs embedded in one or more emails of the first cluster of emails included in the first priority tier; transmit data for displaying, in the dynamic user interface, a menu of labels selectable to associate a status or maliciousness with a cluster; and in response to receiving a selection of a first label from the menu of labels, associate the first label with the first cluster of emails including the first plurality of emails and the second email. - View Dependent Claims (2, 3, 4)
-
-
5. A method for analyzing suspicious emails comprising:
-
displaying, on a display device, a dynamic user interface indicating a plurality of priority tiers indicating different priorities for analyzing suspicious emails; receiving a selection of a first priority tier from among the plurality of priority tiers; in response to receiving the selection of the first priority tier, updating the dynamic user interface to indicate a plurality of clusters of emails associated with the first priority tier including at least a first cluster of emails, wherein a first plurality of emails are included in the first cluster based at least in part on having a first feature in common; receiving a selection of at least the first cluster of emails from among the plurality of clusters of emails; in response to receiving the selection of at least the first cluster of emails, causing the dynamic user interface to display; the first plurality of emails that are included in the first cluster of emails; and a second email included in the first cluster of emails, wherein the second email does not include the first feature that is common to the first plurality of emails, and wherein the second email shares a different feature in common with at least one email from the first plurality of emails; in response to receiving one or more user interactions with the dynamic user interface, updating the dynamic user interface to display; a plurality of uniform resource locators (URLs), wherein each URL in the plurality of URLs is embedded in one or more of the emails of the first cluster of emails included in the first priority tier; and information about a plurality of users, wherein each user of the plurality of users accessed one or more of the URLs embedded in one or more emails of the first cluster of emails included in the first priority tier; displaying, in the dynamic user interface, a menu including a plurality of labels selectable to associate a status or maliciousness with a cluster; receiving a selection of a first label from the plurality of labels; and in response to receiving the selection of the first label, classifying the first cluster of emails including the first plurality of emails and the second email with the first label. - View Dependent Claims (6, 7, 8)
-
-
9. A system comprising:
-
one or more computer readable storage mediums having program instructions embodied thereon; and one or more hardware processors configured to execute the program instructions to cause the system to; receive submissions of suspicious electronic communications; categorize the suspicious electronic communications into clusters, wherein a first cluster of the clusters includes; a first plurality of electronic communications categorized into the first cluster based at least in part on having a first feature in common; and a second electronic communication that does not include the first feature and does share a second feature in common with at least one electronic communication of the first plurality of electronic communications; categorize the clusters into priority tiers indicating different priorities for assessing if electronic communications are undesirable, wherein the first cluster is categorized into a first priority tier; in response to receiving a selection of a first priority tier, provide first data including an indication of a first plurality of clusters associated with the first priority tier; in response to receiving a selection of at least the first cluster, provide second data for displaying indications of the first plurality of electronic communications and the second electronic communication; in response to receiving one or more user interactions to display details about the first cluster, provide third data for displaying; a plurality of uniform resource locators (URLs), wherein each URL in the plurality of URLs is embedded in one or more of the electronic communications of the first cluster included in the first priority tier; and information about a plurality of users, wherein each user of the plurality of users accessed one or more of the URLs embedded in one or more electronic communications of the first cluster included in the first priority tier; receive a disposition indicating a type of undesirable electronic communication, the disposition selected from a menu of labels; and apply the disposition to the first cluster including the first plurality of electronic communications and the second electronic communication. - View Dependent Claims (10, 11)
-
Specification