Method and system for phishing detection

US 20070283000A1
Filed: 05/30/2006
Published: 12/06/2007
Est. Priority Date: 05/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detection of phishing attempts in received electronic mail messages in a networked environment including a plurality of personal computers, and electronic mail server, the method comprising:

receiving an incoming electronic mail message, wherein said electronic mail message includes an address;

retrieving the source code of said incoming message;

retrieving text as displayed to the recipient of said electronic message;

retrieving a list of all specified addresses from said retrieved source code;

applying visual character normalization to each said specified address to develop all possible address combinations and to form a normalized address list;

removing said specified addresses from said normalized address list to create a revised address list;

performing comparison tests to determine if each address in said revised address list is a valid address;

returning a message to said recipient that said electronic message may be a forgery if a tested address is found to be not valid;

performing said comparison tests on another address in said revised address list if said tested address is found to be valid; and

informing said recipient that said electronic message is valid and accepted if said tested address is found to be valid.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detection of phishing attempts in received electronic mail messages includes retrieving the source code, displayed text, and a list of all specified addresses contained within the source code of a received electronic message. Visual character normalization is applied to each specified address to develop all possible address combinations and to form a normalized address list. The specified addresses are removed from the normalized address list to create a revised address list, upon which comparison tests are performed to determine if each address in the revised address list is from a valid source. The recipient of the electronic message is informed of any message found to be from an invalid source.

Citations

20 Claims

1. A method for detection of phishing attempts in received electronic mail messages in a networked environment including a plurality of personal computers, and electronic mail server, the method comprising:
- receiving an incoming electronic mail message, wherein said electronic mail message includes an address;
  
  retrieving the source code of said incoming message;
  
  retrieving text as displayed to the recipient of said electronic message;
  
  retrieving a list of all specified addresses from said retrieved source code;
  
  applying visual character normalization to each said specified address to develop all possible address combinations and to form a normalized address list;
  
  removing said specified addresses from said normalized address list to create a revised address list;
  
  performing comparison tests to determine if each address in said revised address list is a valid address;
  
  returning a message to said recipient that said electronic message may be a forgery if a tested address is found to be not valid;
  
  performing said comparison tests on another address in said revised address list if said tested address is found to be valid; and
  
  informing said recipient that said electronic message is valid and accepted if said tested address is found to be valid.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method for detection of phishing attempts in received electronic mail messages according to claim 1, wherein applying said visual character normalization comprises:
    - extracting the address core from said incoming address;
      
      replacing any character within said address core by its visual homonym, wherein said visual homonym includes a homographic character that appears very similar to another character to form a list of possible address cores;
      
      performing additional character normalization operations on each of said possible address cores, wherein said additional character normalization operations include at least one member selected from the group consisting of duplicate character normalization, reduced character normalization, plural character normalization, and punctuation character normalization;
      
      forming lists of new address cores for each of said character normalization operations performed;
      
      merging said lists of new address cores and said possible address cores and removing duplicate address cores from said merged list to create a composite address core list;
      
      recombining said composite address core list with the prefixes and suffixes appearing in said incoming electronic mail address to form a recombined list of addresses;
      
      replacing the suffix of each said recombined address with all other possible suffixes to form a suffix list; and
      
      merging said suffix list and said recombined list to form said normalized address list.
  - 3. The method for detection of phishing attempts in received electronic mail messages according to claim 2, wherein said visual homonym is derived through application of predefined transformation rules for ASCII characters.
  - 4. The method for detection of phishing attempts in received electronic mail messages according to claim 2, wherein said visual homonym is derived through transformation of any Unicode character similar to an ASCII character into its ASCII counterpart.
  - 5. The method for detection of phishing attempts in received electronic mail messages according to claim 2, wherein duplicate character normalization comprises:
    - duplicating a first character in a first address core to form a new address core;
      
      placing said new address core on a duplicate character address core list;
      
      duplicating another character in said address core to form another new address core and placing said new address core on said duplicate character address core list;
      
      continuing to duplicate another character in said address core to create another new address core and placing said new address core on said duplicate character list until all characters in said first address core have been used to create said new address cores; and
      
      selecting another address core and repeating the sequence of duplicating a character to form a new address core and adding said new address core to said duplicate character list until all characters in said selected another address core have been used to create said new address cores and duplicate character normalization has been applied to all address cores in said list of possible address cores.
  - 6. The method for detection of phishing attempts in received electronic mail messages according to claim 2, wherein reduced character normalization comprises:
    - replacing a contiguous duplicated character by a single occurrence of that character in a first address core to form a new address core;
      
      placing said new address core on a reduced character address core list;
      
      identifying additional contiguous duplicated characters in said first address core, forming additional new address cores, and placing said additional new address cores on said reduced character address core list until no contiguous duplicated characters remain in said first address core; and
      
      selecting another address from said list of possible address cores and repeating the sequence of identifying contiguous duplicated characters, forming new address cores, and adding said new address cores to said reduced character address core list until all of said possible address cores have been selected.
  - 7. The method for detection of phishing attempts in received electronic mail messages according to claim 2, wherein plural character normalization comprises:
    - adding or removing a plural character at the end of a first address core to form a new address core;
      
      placing said new address core on a plural character address core list; and
      
      repeating adding or removing a plural character at the end of each of said possible address cores to form additional new address cores and placing the additional new address cores on the plural character address core list.
  - 8. The method for detection of phishing attempts in received electronic mail messages according to claim 2, wherein punctuation character normalization comprises:
    - removing a first punctuation character from a first address core to form a new address core;
      
      placing said new address core on a punctuation character address core list;
      
      repeating removal of a punctuation character from a first address and placing said new address core on a punctuation character address list until all punctuation characters in said first address core have been removed; and
      
      repeating removal of single punctuation characters and placing said resulting new address core on said punctuation character address until all punctuation characters in all said possible address cores have been removed.
  - 9. The method for detection of phishing attempts in received electronic mail messages according to claim 1, wherein performing comparison tests comprises performing at least one member selected from the group consisting of a text comparison test, a white list test, and a search engine test.
  - 10. The method for detection of phishing attempts in received electronic mail messages according to claim 9, wherein performing said text comparison test comprises:
    - receiving email displayed text and at least one address from said revised list;
      
      extracting the address core from said received at least one address;
      
      tokenizing said email text into a set of tokens;
      
      determining if each said token matches said extracted address core;
      
      returning a message that said received address is not valid if any one of said tokens matches said extracted address core; and
      
      performing said white list comparison test if none of said tokens matches said extracted address core.
  - 11. The method for detection of phishing attempts in received electronic mail messages according to claim 9, wherein performing said white list comparison test comprises:
    - receiving a white list of names of companies which may be targeted by phishing attempts and at least one address from said revised list;
      
      determining if any of said names of companies matches the company name appearing in said received at least one address;
      
      returning a message that said at least one address is not valid if any one of said names of companies matches said name appearing in said at least one address; and
      
      performing a search engine comparison test if none of said names of companies matches said received at least one address.
  - 12. The method for detection of phishing attempts in received electronic mail messages according to claim 9, wherein performing said search engine test comprises:
    - receiving at least one normalized address and at least one address from said revised list;
      
      performing a search of said at least one normalized address in an Internet search engine;
      
      returning a message that said at least one normalized address is not valid if said normalized address search locates said at least one normalized address;
      
      extracting address cores for said at least one address from said revised list and said at least one normalized address;
      
      performing a keyword search in an Internet search engine and obtaining a total number of results, wherein said keyword consists of said at least one revised list address core;
      
      performing a keyword search in an Internet search engine and obtaining a total number of results, wherein said keyword consists of said normalized address core;
      
      determining whether the total number of search results for said at least one normalized address core exceeds the total number of results for said at least one revised list address core;
      
      returning a message that said at least one revised list address is not valid if the total number of search results for said at least one normalized address core exceeds the total number of results for the at least one revised list address core; and
      
      returning a message that said at least one revised list address is valid if the total number of search results for said at least one normalized address core does not exceed the total number of results for said at least one revised list address core.

13. A system for detection of phishing attempts in received electronic mail messages in a networked environment including a plurality of personal computers, and electronic mail server, the method comprising:
- means for receiving an incoming electronic mail message, wherein said electronic mail message includes an address;
  
  means for retrieving the source code of said incoming message;
  
  means for retrieving text as displayed to the recipient of said electronic message;
  
  means for retrieving a list of all specified addresses from said retrieved source code;
  
  means for applying visual character normalization to each said specified address to develop all possible address combinations and to form a normalized address list;
  
  means for removing said specified addresses from said normalized address list to create a revised address list;
  
  means for performing comparison tests to determine if each address in said revised address list is a valid address;
  
  means for returning a message to said recipient that said electronic message may be a forgery if a tested address is found to be not valid;
  
  means for performing said comparison tests on another address in said revised address list if said tested address is found to be valid; and
  
  means for informing said recipient that said electronic message is valid and accepted if said tested address is found to be valid.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system for detection of phishing attempts in received electronic mail messages according to claim 13, wherein applying said visual character normalization comprises:
    - means for extracting the address core from said incoming address;
      
      replacing any character within said address core by its visual homonym, wherein said visual homonym includes a homographic character that appears very similar to another character to form a list of possible address cores;
      
      means for performing additional character normalization operations on each of said possible address cores, wherein said additional character normalization operations include at least one member selected from the group consisting of duplicate character normalization, reduced character normalization, plural character normalization, and punctuation character normalization;
      
      means for forming lists of new address cores for each of said character normalization operations performed;
      
      means for merging said lists of new address cores and said possible address cores and removing duplicate address cores from said merged list to create a composite address core list;
      
      means for recombining said composite address core list with the prefixes and suffixes appearing in said incoming electronic mail address to form a recombined list of addresses;
      
      means for replacing the suffix of each said recombined address with all other possible suffixes to form a suffix list; and
      
      means for merging said suffix list and said recombined list to form a normalized address list.
  - 15. The system for detection of phishing attempts in received electronic mail messages according to claim 13, wherein performing comparison tests comprises performing at least one member selected from the group consisting of a text comparison test, a white list test, and a search engine test.
  - 16. The system for detection of phishing attempts in received electronic mail messages according to claim 15, wherein performing said text comparison test comprises:
    - means for receiving email displayed text and at least one address from said revised list;
      
      means for extracting the address core from said received at least one address;
      
      means for tokenizing said email text into a set of tokens;
      
      means for determining if each said token matches said extracted address core;
      
      means for returning a message that said received address is not valid if any one of said tokens matches said extracted address core; and
      
      means for performing said white list comparison test if none of said tokens matches said extracted address core.
  - 17. The system for detection of phishing attempts in received electronic mail messages according to claim 15, wherein performing said white list comparison test comprises:
    - means for receiving a white list of names of companies which may be targeted by phishing attempts and at least one address from said revised list;
      
      means for determining if any of said names of companies matches the company name appearing in said received at least one address;
      
      means for returning a message that said at least one address is not valid if any one of said names of companies matches said name appearing in said at least one address; and
      
      means for performing a search engine comparison test if none of said names of companies matches said received at least one address.
  - 18. The system for detection of phishing attempts in received electronic mail messages according to claim 15, wherein performing said search engine test comprises:
    - means for receiving at least one normalized address and at least one address from said revised list;
      
      means for performing a search of said at least one normalized address in an Internet search engine;
      
      means for returning a message that said at least one normalized address is not valid if said normalized address search locates said at least one normalized address;
      
      means for extracting address cores for said at least one address from said revised list and said at least one normalized address;
      
      means for performing a keyword search in an Internet search engine and obtaining a total number of results, wherein said keyword consists of said at least one revised list address core;
      
      means for performing a keyword search in an Internet search engine and obtaining a total number of results, wherein said keyword consists of said normalized address core;
      
      means for determining whether the total number of search results for said at least one normalized address core exceeds the total number of results for said at least one revised list address core;
      
      means for returning a message that said at least one revised list address is not valid if the total number of search results for said at least one normalized address core exceeds the total number of results for the at least one revised list address core; and
      
      means for returning a message that said at least one revised list address is valid if the total number of search results for said at least one normalized address core does not exceed the total number of results for said at least one revised list address core.

19. A computer-readable storage medium having computer readable program code embodied in said medium which, when said program code is executed by a computer causes said computer to perform method steps for detection of phishing attempts in received electronic mail messages in a networked environment including a plurality of personal computers, an electronic mail server, the method comprising:
- receiving an incoming electronic mail message, wherein said electronic mail message includes an address;
  
  retrieving the source code of said incoming message;
  
  retrieving text as displayed to the recipient of said electronic message;
  
  retrieving a list of all specified addresses from said retrieved source code;
  
  applying visual character normalization to each said specified address to develop all possible address combinations and to form a normalized address list;
  
  removing said specified addresses from said normalized address list to create a revised address list;
  
  performing comparison tests to determine if each address in said revised address list is a valid address;
  
  returning a message to said recipient that said electronic message may be a forgery if a tested address is found to be not valid;
  
  performing said comparison tests on another address in said revised address list if said tested address is found to be valid; and
  
  informing said recipient that said electronic message is valid and accepted if said tested address is found to be valid.
- View Dependent Claims (20)
- - 20. The computer-readable storage medium according to claim 19, wherein applying said visual character normalization comprises:
    - extracting the address core from said incoming address;
      
      replacing any character within said address core by its visual homonym, wherein said visual homonym includes a homographic character that appears very similar to another character to form a list of possible address cores;
      
      performing additional character normalization operations on each of said possible address cores, wherein said additional character normalization operations include at least one member selected from the group consisting of duplicate character normalization, reduced character normalization, plural character normalization, and punctuation character normalization;
      
      forming lists of new address cores for each of said character normalization operations performed;
      
      merging said lists of new address cores and said possible address cores and removing duplicate address cores from said merged list to create a composite address core list;
      
      recombining said composite address core list with the prefixes and suffixes appearing in said incoming electronic mail address to form a recombined list of addresses;
      
      replacing the suffix of each said recombined address with all other possible suffixes to form a suffix list; and
      
      merging said suffix list and said recombined list to form said normalized address list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Xerox Corporation (Xerox Holdings Corp.)
Original Assignee
Xerox Corporation (Xerox Holdings Corp.)
Inventors
Proux, Denys, Cheminot, Eric, Guerin, Nicolas

Granted Patent

US 7,668,921 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

Method and system for phishing detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for phishing detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links