Attack resistant phishing detection

US 20070005984A1
Filed: 02/23/2006
Published: 01/04/2007
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A phishing detection server component, comprising:

of the a report store that stores information regarding password reuse event reports employed to perform phishing analysis; and

, a report verification component that receives a password reuse event report comprising a timestamp, the verification component first determines whether the timestamp is genuine, and, if it is genuine, employs the timestamp to determine whether the report is false, and, if the report is determined to be false, stores an indication that the report is false and not to be employed to perform phishing analysis.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A phishing detection server component and method is provided. The component can be employed as part of a system to detect/phishing attacks. The phishing detection server component can receive password reuse event report(s), for example, from a protection component of client component(s). Due to the malicious nature of phishing in general, the phishing detection server component can be susceptible to attacks by phishers (e.g., by reverse engineering of the client component). For example, false report(s) of PREs can be received from phisher(s) in an attempt to overwhelm the server component, induce false positives and/or induce false negatives. Upon receipt of a PRE report, the phishing detection server component can first verify that the timestamp(s) are genuine (e.g., previously generated by the phishing detection server component). The report verification component can employ the timestamp(s) to verify veracity of the report (e.g., to minimize attacks by phishers).

199 Citations

20 Claims

1. A phishing detection server component, comprising:
- of the a report store that stores information regarding password reuse event reports employed to perform phishing analysis; and
  
  , a report verification component that receives a password reuse event report comprising a timestamp, the verification component first determines whether the timestamp is genuine, and, if it is genuine, employs the timestamp to determine whether the report is false, and, if the report is determined to be false, stores an indication that the report is false and not to be employed to perform phishing analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The component of claim 1, further comprising a timestamp generator that generates a unique timestamp associated with a password reuse event report.
  - 3. The component of claim 1, the password reuse event report comprising a plurality of timestamps, each timestamps associated with a time that an associated site was added to a client'"'"'s protected credential store.
  - 4. The component of claim 3, the report verification component determines the report is false if none the timestamps is at least a threshold period of time old.
  - 5. The component of claim 3, the report verification component determines the report is false if any of the timestamps has been used in a report in a second threshold period of time.
  - 6. The component of claim 3, the report verification component determines the report is false if any of the timestamps has appeared more than a third threshold quantity of times.
  - 7. The component of claim 3, the report verification component determines the report is false if any of the timestamps were used to report that a site subsequently identified as phishing has a re-use event against an innocent site.
  - 8. The component of claim 1, the report verification component verifies with at least one trusted site that a claimed login event has actually occurred, the report verification component determines the report is false if the login event is not verified by the trusted site.
  - 9. The component of claim 1, the report verification component determines a likelihood of the password reuse event being false based on learned statistics of password reuse.
  - 10. The component of claim 9, the learned statistics are based, at least in part, upon a geographic location associated with a site associated with the timestamp.
  - 11. The component of claim 1, further comprising a grader that identifies a suspected phishing site and provides a warning to a client component when phishing is suspected, the grader further receiving feedback from the client component as to whether the warning was heeded, the grader employs the feedback in assessing whether the warning was valid.
  - 12. The component of claim 1, the report verification component further receives traffic information with respect to sites and utilizes the traffic information in determining whether the report is false.
  - 13. The component of claim 1, the report comprises a hash based, at least in part, upon one of a userid, a password, a domain name, source code of a viewed web page, timestamp information from the security server, and a time of a previous login at a trusted site.

14. A phishing detection server component, comprising:
- a report store that stores information regarding password reuse event reports employed to perform phishing analysis; and
  
  , a report verification component that receives password reuse event reports from a plurality of client components, each report comprising a timestamp, the report verification component analyzes the reports to ascertain a suspected phishing site and a target.
- View Dependent Claims (15, 16)
- - 15. The component of claim 14, the report verification component further examines the suspected phishing site to determine whether the reports are false.
  - 16. The component of claim 15, if the report is determined to be false, the report verification component stores an indication that the reports are false and not to be employed to perform phishing analysis.

17. A method of verifying a password reuse event report, comprising:
- receiving the password reuse event report, the report comprising information regarding a client'"'"'s protected credential;
  
  determining that phishing has occurred; and
  
  , providing a target with user information of a phished user.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - changing credentials associated with the phished user; and
      
      , notifying the phished user of the changed credentials.
  - 19. The method of claim 17, the user information comprising a hash based, at least in part, upon one of a userid, a password, a domain name, source code of a viewed web page, timestamp information from the security server, and a time of a previous login at a trusted site.
  - 20. The method of claim 17, notification comprising the e-mail with the changed credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Florencio, Dinei, Herley, Cormac

Granted Patent

US 7,925,883 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/178
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 63/14   for detecting or protecting...

H04L 63/1483   service impersonation, e.g....

H04L 9/3226   using a predetermined code,...

H04L 9/3297   involving time stamps, e.g....

Attack resistant phishing detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

199 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Attack resistant phishing detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others