PHISH PROBABILITY SCORING MODEL

US 20100281536A1
Filed: 04/30/2009
Published: 11/04/2010
Est. Priority Date: 04/30/2009
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor for execution of a threat detection application for determining the probability that a website link is associated with fraudulent activity;

a communication device associated with the processor for receiving a website link; and

a database associated with the processor, the database comprising;

a plurality of different keyword combinations that have been identified in previously received website links; and

for each of the different keyword combination, a total number of instances a website link containing the respective keyword combination has been received by the system and a number of instances a website link containing the respective keyword combination was associated with fraudulent activity;

wherein the threat detection application executed by the processor is configured to;

review each website link received by the system to identify which of the keyword combinations is included in the website link; and

calculate a threat score for each website link based the total number of instances a website link containing the same keyword combination has been received by the system and the number of instances a website link containing the same keyword combination was associated with fraudulent activity.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, embodiments of the invention relate to systems, methods, and computer program products for determining the probability that a given website is conducting or is related to fraudulent activity, including phishing activity. More particularly, embodiments of the invention relate to automatically monitoring and scoring URLs for fraudulent activity by parsing keywords, combinations of keywords, and other relevant data from an input communication, such as an email, and analyzing the data obtained against a database containing a plurality of grading factors.

Citations

20 Claims

1. A system comprising:
- a processor for execution of a threat detection application for determining the probability that a website link is associated with fraudulent activity;
  
  a communication device associated with the processor for receiving a website link; and
  
  a database associated with the processor, the database comprising;
  
  a plurality of different keyword combinations that have been identified in previously received website links; and
  
  for each of the different keyword combination, a total number of instances a website link containing the respective keyword combination has been received by the system and a number of instances a website link containing the respective keyword combination was associated with fraudulent activity;
  
  wherein the threat detection application executed by the processor is configured to;
  
  review each website link received by the system to identify which of the keyword combinations is included in the website link; and
  
  calculate a threat score for each website link based the total number of instances a website link containing the same keyword combination has been received by the system and the number of instances a website link containing the same keyword combination was associated with fraudulent activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the keyword combination comprises only one keyword.
  - 3. The system of claim 1, wherein the keyword combination comprises more than one keyword.
  - 4. The system of claim 1, wherein the database is organized into a table having a plurality of lines.
  - 5. The system of claim 4, wherein each of the different keyword combinations is assigned to one of the lines.
  - 6. The system of claim 5, wherein each line comprises:
    - a plurality of data points, wherein each data point represents one of the keywords of the particular keyword combination assigned to the line, wherein the individual data points, which each represent one keyword, combine represent the keyword combination assigned to the line;
      
      the total number of instances a website link containing the keyword combination assigned to the line has been received by the system; and
      
      number of instances a website link containing the keyword combination assigned to the line was associated with fraudulent activity.
  - 7. The system of claim 6, wherein, if a received website link includes a keyword combination that does not match any of the keyword combinations assigned to the lines in the table, the threat detection application executed by the processor is configured to combine multiple lines of the table so as to create a keyword combination that matches the keyword combination of the received website link.
  - 8. The system of claim 7, wherein the threat detection application executed by the processor is further configured to:
    - aggregate the number of instances the keyword combinations of each of the combined lines have been identified in previously received website links; and
      
      aggregate the number of instances the keyword combinations of each of the combined lines have been identified in previously reported website links that are associated with fraudulent activity.
  - 9. The system of claim 8, wherein the threat detection application executed by the processor is further configured to:
    - calculate the threat score by determining the ratio of the aggregated number of instances the keyword combinations of the combined lines have been reported and aggregate the number of instances the keyword combinations of each of the combined lines have been identified in previously reported website links that are associated with fraudulent activity.
  - 10. The system of claim 1, wherein the threat score is the probability that a website link is associated with fraudulent activity.

11. A method comprising:
- storing in a database the following information;
  
  a plurality of different keyword combinations that have been identified in previously received website links; and
  
  for each of the different keyword combination, a total number of instances a website link containing the respective keyword combination has been received by the system and a number of instances a website link containing the respective keyword combination was associated with fraudulent activity;
  
  using a processor to access the database and execute a threat detection application for determining the probability that a website link is associated with fraudulent activity;
  
  wherein the threat detection application executed by the processor is configured to;
  
  review each website link received by the system to identify which of the keyword combinations is included in the website link; and
  
  calculate a threat score for each website link based the total number of instances a website link containing the same keyword combination has been received by the system and the number of instances a website link containing the same keyword combination was associated with fraudulent activity.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, wherein the keyword combination comprises only one keyword.
  - 13. The method of claim 11, wherein the keyword combination comprises more than one keyword.
  - 14. The method of claim 11, further comprising:
    - organizing the database into a table having a plurality of lines.
  - 15. The method of claim 14, further comprising:
    - assigning each of the different keyword combinations to one of the lines of the table.
  - 16. The method of claim 15, wherein each line comprises:
    - a plurality of data points, wherein each data point represents one of the keywords of the particular keyword combination assigned to the line, wherein the individual data points, which each represent one keyword, combine represent the keyword combination assigned to the line;
      
      the total number of instances a website link containing the keyword combination assigned to the line has been received by the system; and
      
      number of instances a website link containing the keyword combination assigned to the line was associated with fraudulent activity.
  - 17. The method of claim 16, wherein, if a received website link includes a keyword combination that does not match any of the keyword combinations assigned to the lines in the table, the threat detection application executed by the processor is configured to combine multiple lines of the table so as to create a keyword combination that matches the keyword combination of the received website link.
  - 18. The method of claim 17, wherein the threat detection application executed by the processor is further configured to:
    - aggregate the number of instances the keyword combinations of each of the combined lines have been identified in previously received website links; and
      
      aggregate the number of instances the keyword combinations of each of the combined lines have been identified in previously reported website links that are associated with fraudulent activity.
  - 19. The method of claim 18, wherein the threat detection application executed by the processor is further configured to:
    - calculate the threat score by determining the ratio of the aggregated number of instances the keyword combinations of the combined lines have been reported and aggregate the number of instances the keyword combinations of each of the combined lines have been identified in previously reported website links that are associated with fraudulent activity.

20. A computer program product for determining the probability that a website link is associated with fraudulent activity, the computer program product comprising a computer-readable medium having computer-executable instructions embodied therein, said computer-executable instructions comprising:
- first instructions configured to store in a database a plurality of different keyword combinations that have been identified in previously received website links;
  
  second instructions configured to store in the database, for each of the different keyword combinations, a total number of instances a website link containing the respective keyword combination has been received by the system and a number of instances a website link containing the respective keyword combination was associated with fraudulent activity;
  
  third instructions configured to receive from a client device a website link in question;
  
  fourth instructions configured to identify which of the keyword combinations is included in the website link in question; and
  
  fifth instructions configured to determine the probability that the website link in question is associated with fraudulent activity by dividing the total number of instances a website link has been stored in the database having the same keyword combination identified in the website link in question by the number of instances a website link has been stored in the database having the same keyword combination and being associated with fraudulent activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Andersen, David M., Mayer, Michael J., Richards, Phillip L.

Granted Patent

US 8,769,695 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/2119   Authenticating web pages, e...

H04L 51/212   using filtering or selectiv...

H04L 63/101   Access control lists [ACL]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

PHISH PROBABILITY SCORING MODEL

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PHISH PROBABILITY SCORING MODEL

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links