Method and system for phishing detection
First Claim
1. A method for detection of phishing attempts in received electronic mail messages in a networked environment including a plurality of personal computers, and electronic mail server, the method comprising:
- receiving an incoming electronic mail message, wherein said electronic mail message includes an address;
retrieving the source code of said incoming message;
retrieving text as displayed to the recipient of said electronic message;
retrieving a list of all specified addresses from said retrieved source code;
applying visual character normalization to each said specified address to develop all possible address combinations and to form a normalized address list, said visual character normalization comprises the steps of;
extracting the address core from said incoming address;
replacing any character within said address core by its visual homonym,wherein said visual homonym includes a homographic character that comprises another character, to form a list of possible address cores;
performing additional character normalization operations on each of said possible address cores, wherein said additional character normalization operations include at least one member selected from the group consisting of duplicate character normalization, reduced character normalization, plural character normalization, and punctuation character normalization;
forming lists of new address cores for each of said character normalization operations performed;
merging said lists of new address cores and said possible address cores and removing duplicate address cores from said merged list to create a composite address core list;
recombining said composite address core list with the prefixes and suffixes appearing in said incoming electronic mail address to form a recombined list of addresses;
replacing the suffix of each said recombined address with all other possible suffixes to form a suffix list; and
merging said suffix list and said recombined list to form said normalized address list;
removing said specified addresses from said normalized address list to create a revised address list;
performing at least one comparison test to determine if each address in said revised address list is a valid address;
returning a message to said recipient that said electronic message may be a forgery if a tested address is found to be not valid;
performing said comparison tests on another address in said revised address list if said tested address is found to be valid; and
informing said recipient that said electronic message is valid and accepted if said tested address is found to be valid.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detection of phishing attempts in received electronic mail messages includes retrieving the source code, displayed text, and a list of all specified addresses contained within the source code of a received electronic message. Visual character normalization is applied to each specified address to develop all possible address combinations and to form a normalized address list. The specified addresses are removed from the normalized address list to create a revised address list, upon which comparison tests are performed to determine if each address in the revised address list is from a valid source. The recipient of the electronic message is informed of any message found to be from an invalid source.
82 Citations
15 Claims
-
1. A method for detection of phishing attempts in received electronic mail messages in a networked environment including a plurality of personal computers, and electronic mail server, the method comprising:
-
receiving an incoming electronic mail message, wherein said electronic mail message includes an address; retrieving the source code of said incoming message; retrieving text as displayed to the recipient of said electronic message; retrieving a list of all specified addresses from said retrieved source code; applying visual character normalization to each said specified address to develop all possible address combinations and to form a normalized address list, said visual character normalization comprises the steps of; extracting the address core from said incoming address; replacing any character within said address core by its visual homonym, wherein said visual homonym includes a homographic character that comprises another character, to form a list of possible address cores; performing additional character normalization operations on each of said possible address cores, wherein said additional character normalization operations include at least one member selected from the group consisting of duplicate character normalization, reduced character normalization, plural character normalization, and punctuation character normalization; forming lists of new address cores for each of said character normalization operations performed; merging said lists of new address cores and said possible address cores and removing duplicate address cores from said merged list to create a composite address core list; recombining said composite address core list with the prefixes and suffixes appearing in said incoming electronic mail address to form a recombined list of addresses; replacing the suffix of each said recombined address with all other possible suffixes to form a suffix list; and merging said suffix list and said recombined list to form said normalized address list; removing said specified addresses from said normalized address list to create a revised address list; performing at least one comparison test to determine if each address in said revised address list is a valid address; returning a message to said recipient that said electronic message may be a forgery if a tested address is found to be not valid; performing said comparison tests on another address in said revised address list if said tested address is found to be valid; and informing said recipient that said electronic message is valid and accepted if said tested address is found to be valid. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detection of phishing attempts in received electronic mail messages in a networked environment including a plurality of personal computers, and electronic mail server, the method comprising:
-
means for receiving an incoming electronic mail message, wherein said electronic mail message includes an address; means for retrieving the source code of said incoming message; means for retrieving text as displayed to the recipient of said electronic message; means for retrieving a list of all specified addresses from said retrieved source code; means for applying visual character normalization to each said specified address to develop all possible address combinations and to form a normalized address list, wherein applying said visual character normalization comprises; means for extracting the address core from said incoming address; replacing any character within said address core by its visual homonym, wherein said visual homonym includes a homographic character comprising another character, to form a list of possible address cores; means for performing additional character normalization operations on each of said possible address cores, wherein said additional character normalization operations include at least one member selected from the group consisting of duplicate character normalization, reduced character normalization, plural character normalization, and punctuation character normalization; means for forming lists of new address cores for each of said character normalization operations performed; means for merging said lists of new address cores and said possible address cores and removing duplicate address cores from said merged list to create a composite address core list; means for recombining said composite address core list with the prefixes and suffixes appearing in said incoming electronic mail address to form a recombined list of addresses; means for replacing the suffix of each said recombined address with all other possible suffixes to form a suffix list; and means for merging said suffix list and said recombined list to form a normalized address list;
means for removing said specified addresses from said normalized address list to create a revised address list;means for performing comparison tests to determine if each address in said revised address list is a valid address; means for returning a message to said recipient that said electronic message may be a forgery if a tested address is found to be not valid; means for performing said comparison tests on another address in said revised address list if said tested address is found to be valid; and means for informing said recipient that said electronic message is valid and accepted if said tested address is found to be valid. - View Dependent Claims (12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium having computer readable program code embodied in said medium which, when said program code is executed by a computer causes said computer to perform method steps for detection of phishing attempts in received electronic mail messages in a networked environment including a plurality of personal computers, an electronic mail server, the method comprising:
-
receiving an incoming electronic mail message, wherein said electronic mail message includes an address; retrieving the source code of said incoming message; retrieving text as displayed to the recipient of said electronic message; retrieving a list of all specified addresses from said retrieved source code; applying visual character normalization to each said specified address to develop all possible address combinations and to form a normalized address list, wherein applying said visual character normalization comprises the steps of; extracting the address core from said incoming address; replacing any character within said address core by its visual homonym, wherein said visual homonym includes a homographic character comprising another character, to form a list of possible address cores; performing additional character normalization operations on each of said possible address cores, wherein said additional character normalization operations include at least one member selected from the group consisting of duplicate character normalization, reduced character normalization, plural character normalization, and punctuation character normalization; forming lists of new address cores for each of said character normalization operations performed; merging said lists of new address cores and said possible address cores and removing duplicate address cores from said merged list to create a composite address core list; recombining said composite address core list with the prefixes and suffixes appearing in said incoming electronic mail address to form a recombined list of addresses; replacing the suffix of each said recombined address with all other possible suffixes to form a suffix list; and merging said suffix list and said recombined list to form said normalized address list; removing said specified addresses from said normalized address list to create a revised address list; performing comparison tests to determine if each address in said revised address list is a valid address; returning a message to said recipient that said electronic message may be a forgery if a tested address is found to be not valid; performing said comparison tests on another address in said revised address list if said tested address is found to be valid; and informing said recipient that said electronic message is valid and accepted if said tested address is found to be valid.
-
Specification