Systems and Methods for Identifying Potentially Malicious Messages

US 20060251068A1
Filed: 06/09/2006
Published: 11/09/2006
Est. Priority Date: 03/08/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting a spoofing situation with respect to one or more electronic communications, comprising:

receiving an electronic communication;

determining whether the electronic communication includes a textual or graphical reference to a first entity;

determining whether the textual or graphical reference to the first entity is associated with a link to a second entity; and

detecting whether a spoofing situation exists with respect to the received electronic communication based upon the determination of whether the textual or graphical reference is associated with the link to the second entity.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented systems and methods for identifying illegitimate messaging activity on a system using a network of sensors.

206 Citations

26 Claims

1. A computer-implemented method for detecting a spoofing situation with respect to one or more electronic communications, comprising:
- receiving an electronic communication;
  
  determining whether the electronic communication includes a textual or graphical reference to a first entity;
  
  determining whether the textual or graphical reference to the first entity is associated with a link to a second entity; and
  
  detecting whether a spoofing situation exists with respect to the received electronic communication based upon the determination of whether the textual or graphical reference is associated with the link to the second entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the spoofing situation is a phishing situation wherein the link to the second entity is a hyperlink to a website operated by the second entity.
  - 3. The method of claim 2, wherein the second entity is an attacker whose website, to which the hyperlink links, is configured for feigning association with the first entity and for acquiring confidential information from a user for illegitimate gain.
  - 4. The method of claim 1 further comprising:
    - generating a fingerprint of one or more elements from the first entity'"'"'s website;
      
      generating a fingerprint of one or more elements from the second entity'"'"'s website;
      
      comparing the second entity'"'"'s fingerprint with the first entity'"'"'s fingerprint in order to determine a degree of match between the fingerprints; and
      
      detecting whether a spoofing situation exists with respect to the received electronic communication based upon the degree of match between the fingerprints.
  - 5. The method of claim 4, wherein the one or more elements from the first and second entity'"'"'s website are textual or graphical elements.
  - 6. The method of claim 5, wherein the generating of the fingerprints includes use of a winnowing fingerprint approach.
  - 7. The method of claim 4, wherein the one or more elements from the first and second entity'"'"'s website are image elements.
  - 8. The method of claim 4, wherein the degree of match includes a match selected from the group consisting of a complete match, strong match, partial match, totally incomplete match, and combinations thereof.
  - 9. The method of claim 4, further comprising:
    - storing a number of instances of legitimate and illegitimate usages based upon whether the fingerprint from the first entity and the fingerprint from the second entity match; and
      
      displaying statistics comparing the number of instances of legitimate usage versus the number of instances of illegitimate usages.
  - 10. The method of claim 1, wherein results of said detecting step are provided to a reputation system;
    - wherein the reputation system uses the provided results as part of its determination of what reputation should be ascribed to a sender of the electronic communication.
  - 11. The method of claim 1, wherein results of said detecting step are provided to a fraud database for correlation and aggregation.
  - 12. The method of claim 1, wherein an action is performed in response to results of said detecting step;
    - wherein the action includes shutting down a website associated with the second entity.
  - 13. The method of claim 1, wherein a notification is provided to the first entity of results of said detecting step.
  - 14. The method of claim 1, further comprising:
    - determining whether a target/href mismatch has occurred in the received electronic communication; and
      
      detecting whether a spoofing situation exists with respect to the received electronic communication based upon the determination of with respect to the target/href mismatch.
  - 15. The method of claim 1, wherein the electronic communication is a communication selected from the group consisting of an e-mail message, and instant message, an SMS communication, a VOIP communication, a WAP communication, and combinations thereof.
  - 16. The method of claim 1, further comprising:
    - responsive to detecting a spoofing situation exists, performing at least one of the steps comprising;
      
      generating a fingerprint of the communication and comparing all other electronic communications to the fingerprint at the gateway;
      
      changing the reputation of the sender of the communication; and
      
      blocking the communication based on the spoofed URL in the communication
  - 17. The method of claim 1, wherein the step of detecting further comprises:
    - determining a reputation associated with a URL included in the communication;
      
      determining whether the age of the domain used in the URL is greater than a threshold;
      
      determining whether the owner of the domain/IP hosting a URL included in the message matches the owner of an IP address associated with the message; and
      
      determining whether an owner of a phone number associated with the message matches a database of known spoofing phone numbers.

18. A computer-implemented method for detecting a spoofing situation with respect to one or more electronic communications, wherein an inventory has been performed of uniform resource locators (URLs) permitted by a first entity for use within an electronic communication associated with the first entity, wherein the inventory is configured to be updated by an inventory update process, said method comprising:
- receiving an electronic communication;
  
  generating a list of company URLs in the received electronic communication;
  
  comparing the list of company URLs in the received electronic communication with the inventory of permitted URLs; and
  
  detecting whether a spoofing situation exists with respect to the received electronic communication based upon said comparing step.

19. A method of detecting illegitimate traffic originating from a domain, comprising the steps of:
- deploying a plurality of sensor devices at a plurality of associated nodes on the Internet;
  
  gathering messaging information from the plurality of sensor devices, the messaging information comprising one or more of messaging traffic level originating from a domain, or fraudulent messages originating from a domain;
  
  correlating the gathered messaging information;
  
  determining from the correlation whether a probable security condition exists with regard to a domain; and
  
  altering a domain owner or an internet service provider associated with a domain of a probable security condition with regard to the domain.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The method of claim 19, wherein the determining step comprises:
    - comparing a list of company URLs contained in the gathered messaging information with an inventory of permitted URLs based upon one or more IP addresses associated with the company; and
      
      if the list of company URLs contained in the received messaging information do not match the inventory of permitted URLs, signaling a probable security condition.
  - 21. The method of claim 19, wherein the determining step comprises:
    - comparing legitimate company content with content contained in the gathered messaging information; and
      
      if the content contained in the received messaging information does not match the legitimate company content, signaling a probable security condition.
  - 22. The method of claim 19, wherein the determining step comprises:
    - comparing message traffic levels of multiple machines associated with the same company;
      
      if the message traffic levels of multiple machines associated with the same company display similar peak or similarly sporadic traffic levels during similar time periods, signaling a probable security condition.
  - 23. The method of claim 19, wherein the sensors collect information about all messaging traffic which travels across the associated nodes without regard to the origin or destination of the messaging traffic.
  - 24. The method of claim 23, wherein the sensors collect information about all messaging traffic which travels across the associated nodes without regard to a protocol associated with the messaging traffic.
  - 25. The method of claim 19, further comprising the steps of:
    - gathering non-messaging data captured by a plurality of network entities combining the data captured by other network entities with the messaging data captured from the plurality of sensor devices;
      
      correlating the combined data;
      
      determining from the correlation whether a probable security condition exists with regard to a domain; and
      
      alerting a domain owner or an internet service provider associated with a domain of a probable security condition with regard to the domain.

26. A method of detecting illegitimate traffic originating from a domain, comprising the steps of:
- deploying a plurality of sensor devices at a plurality of associated nodes on the Internet;
  
  gathering messaging information from the plurality of sensor devices, the messaging information comprising one or more of messaging traffic level originating from an IP address, or fraudulent messages originating from the IP address;
  
  correlating the gathered messaging information;
  
  determining from the correlation whether a probable security condition exists with regard to the IP address; and
  
  alerting an owner associated with the IP address or an internet service provider associated with the IP address of a probable security condition with regard to the IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Ciphertrust, Incorporated (McAfee, LLC)
Inventors
Krasser, Sven, Alperovitch, Dmitri, Schneck, Phyllis Adele, Zdziarski, Jonathan Alexander, Judge, Paul

Granted Patent

US 8,578,480 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 51/04   Real-time or near real-time...

H04L 51/212   using filtering or selectiv...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 67/00   Network arrangements or pro...

Systems and Methods for Identifying Potentially Malicious Messages

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

206 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Systems and Methods for Identifying Potentially Malicious Messages

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others