Social Engineering Protection Appliance

US 20120096553A1
Filed: 10/19/2010
Published: 04/19/2012
Est. Priority Date: 10/19/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of analyzing incoming emails, the method comprising:

extracting one or more non-semantic data items from an incoming email;

determining whether one or more of the non-semantic data items match information stored in a data store of previously collected information;

performing behavioral analysis on one or more of the non-semantic data items;

analyzing semantic data associated with the incoming email to determine whether the semantic data matches one or more patterns associated with malicious emails; and

based on the determining, performing, and analyzing, identifying the incoming email as potentially malicious or non-malicious.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detecting social engineering attacks comprise: extracting one or more non-semantic data items from an incoming email; determining whether the one or more non-semantic data items match information stored in a data store of previously collected information; performing behavioral analysis on the one or more non-semantic data items; analyzing semantic data associated with the email to determine whether the non-semantic data matches one or more patterns associated with malicious emails; and based on the determining, performing, and analyzing, identifying the email as potentially malicious or non-malicious. The system also includes processes for collecting relevant information for storage within the data store and processes for harvesting information from detected social engineering attacks for entry into the data store and seeding of the collection processes.

191 Citations

20 Claims

1. A computer-implemented method of analyzing incoming emails, the method comprising:
- extracting one or more non-semantic data items from an incoming email;
  
  determining whether one or more of the non-semantic data items match information stored in a data store of previously collected information;
  
  performing behavioral analysis on one or more of the non-semantic data items;
  
  analyzing semantic data associated with the incoming email to determine whether the semantic data matches one or more patterns associated with malicious emails; and
  
  based on the determining, performing, and analyzing, identifying the incoming email as potentially malicious or non-malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - collecting and storing the information in the data store.
  - 3. The method of claim 1, further comprising:
    - presenting the incoming email for manual review by one or more analysts;
      
      receiving input about the incoming email from the one or more analysts; and
      
      identifying the incoming email as malicious or non-malicious based on the input about the incoming email.
  - 4. The method of claim 1, wherein each step is performed substantially in real-time.
  - 5. The method of claim 1, wherein determining whether the one or more non-semantic data items match information stored in the data store of previously collected information comprises generating a match score that reflects a degree to which the one or more non-semantic data items match information stored in the data store of previously collected information;
    - andwherein identifying the incoming email as potentially malicious or non-malicious comprises comparing the match score with a threshold score.
  - 6. The method of claim 1, wherein performing behavioral analysis on the one or more non-semantic data items comprises generating a behavioral analysis score;
    - andwherein identifying the incoming email as potentially malicious or non-malicious comprises comparing the behavioral analysis score with a threshold score.
  - 7. The method of claim 1, wherein analyzing the semantic data comprises generating a pattern score that reflects a degree to which the semantic data matches the one or more patterns;
    - andwherein identifying the incoming email as potentially malicious or non-malicious comprises comparing the pattern score with a threshold score.
  - 8. The method of claim 1, further comprising:
    - when the incoming email is identified as potentially malicious, extracting identification information from the incoming email and storing the identification information from the incoming email in the data store.
  - 9. The method of claim 8, further comprising:
    - performing behavioral analysis on the incoming email to collect additional security information; and
      
      storing the additional security information in the data store.
  - 10. The method of claim 9, further comprising:
    - seeding a collection process with the additional security information, wherein the collection process collects information for entry into the data store.

11. A system for analyzing incoming emails, the system comprising:
- a processing system comprising one or more processors; and
  
  a memory system comprising one or more computer-readable media, wherein the computer-readable media store instructions that, when executed by the processing system, cause the system to perform the operations of;
  
  extracting one or more non-semantic data items from an incoming email;
  
  determining whether one or more of the non-semantic data items match information stored in a data store of previously collected information;
  
  performing behavioral analysis on one or more of the non-semantic data items;
  
  analyzing semantic data associated with the incoming email to determine whether the semantic data matches one or more patterns associated with malicious emails; and
  
  based on the determining, performing, and analyzing, identifying the email as potentially malicious or non-malicious.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the operations further comprise:
    - collecting and storing the information in the data store.
  - 13. The system of claim 11, wherein the operations further comprise:
    - presenting the incoming email for manual review by one or more analysts;
      
      receiving input about the incoming email from the one or more analysts; and
      
      identifying the incoming email as malicious or non-malicious based on the input about the email.
  - 14. The system of claim 11, wherein each operation is performed substantially in real-time.
  - 15. The system of claim 11, wherein determining whether the one or more non-semantic data items match information stored in the data store of previously collected information comprises generating a match score that reflects a degree to which the one or more non-semantic data items match information stored in the data store of previously collected information;
    - andwherein identifying the incoming email as potentially malicious or non-malicious comprises comparing the match score with a threshold score.
  - 16. The system of claim 11, wherein performing behavioral analysis on the one or more non-semantic data items comprises generating a behavioral analysis score;
    - andwherein identifying the incoming email as potentially malicious or non-malicious comprises comparing the behavioral analysis score with a threshold score.
  - 17. The system of claim 11, wherein analyzing the semantic data comprises generating a pattern score that reflects a degree to which the semantic data matches the one or more patterns;
    - andwherein identifying the incoming email as potentially malicious or non-malicious comprises comparing the pattern score with a threshold score.
  - 18. The system of claim 11, wherein the operations further comprise:
    - when the incoming email is identified as potentially malicious, extracting identification information from the incoming email and storing the identification information from the incoming email in the data store.
  - 19. The system of claim 18, wherein the operations further comprise:
    - performing behavioral analysis on the incoming email to collect additional security information; and
      
      storing the additional security information in the data store.
  - 20. The system of claim 19, wherein the operations further comprise:
    - seeding a collection process with the additional security information, wherein the collection process collects information for entry into the data store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyveillance, Inc. (ZeroFox Holdings, Inc.)
Original Assignee
Cyveillance, Inc. (ZeroFox Holdings, Inc.)
Inventors
Srivastava, Manoj Kumar, Walker, William Andrews, Olson, Eric Alexander

Granted Patent

US 9,123,027 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 15/16   Combinations of two or more...

G06F 21/00   Security arrangements for p...

G06F 21/56   Computer malware detection ...

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 51/52   for supporting social netwo...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Social Engineering Protection Appliance

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

191 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Social Engineering Protection Appliance

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

191 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links