System and method for electronic message analysis for phishing detection
First Claim
Patent Images
1. A server implemented method for analyzing electronic messages for phishing detection, comprising:
- receiving, by the server, an email message by a recipient/recipient organization from a sender/sender organization;
obtaining, by the server, email characteristics by parsing the received email message based on a set of predetermined email characteristics;
comparing, by the server, the email characteristics of the received email message with the email characteristics associated with the recipient/recipient organization, and/or the sender/sender organization;
declaring, by the server, the received email message by the recipient/recipient organization as a phishing electronic message based on the outcome of the comparison;
wherein the email characteristics are selected from the group consisting of network path used to reach a recipient/recipient organization, geography associated with IP address, email client software used by the sender/sender organization, email client software version used by the sender/sender organization, date, day of week, time, time period of the email, time zone of the sender/sender organization, presence and details of digital signatures in the email, meta data present in header portion of the email, character set used in content of the email, format of the email, email length and subject length, character case of the email, character case of the subject, style of introduction at the top of the email, style and content of the sender/sender organization'"'"'s signature in the body of the email, other recipient/recipient organizations included in the email, to, and copy circulated (cc'"'"'d) email addresses, sender/sender organizations name, sender/sender organizations from and reply to email address, senders organization name, senders domain name, sender'"'"'s organization'"'"'s Domain Name Service (DNS) settings including SPF records, sender organization'"'"'s mail server information, including server ip address, sender/sender organization server network path, sender/sender organization email server software and software version. DKIM signature, spam scoring from spam software, message ID, volume of email sent by the sender/sender organization, volume of email sent by sender'"'"'s organization, volume of email received by the recipient, volume of email received by recipient organization, details associated with URLs or attachments in the email, whether the recipient/recipient organization has responded to this specific email, and number of interactions between sender and recipient associated with the email and the like; and
allowing an administrator to select desired email characteristics to be included in the set of characteristics used for comparing the characteristics of the received email message and to assign a weight of how much each characteristic should influence the likelihood that a new message is a phishing message.
6 Assignments
0 Petitions
Accused Products
Abstract
A system and method for analyzing electronic messages for phishing detection are disclosed. In one example, email characteristics are obtained by parsing a received email message from a sender/sender organization to a recipient/recipient organization based on a set of predetermined email characteristics; the email characteristics of the received email message are then compared with email characteristics associated with the recipient/recipient organization and/or the sender/sender organization, and the received email message is then declared as a phishing electronic message based on the outcome of the comparison.
-
Citations
30 Claims
-
1. A server implemented method for analyzing electronic messages for phishing detection, comprising:
-
receiving, by the server, an email message by a recipient/recipient organization from a sender/sender organization; obtaining, by the server, email characteristics by parsing the received email message based on a set of predetermined email characteristics; comparing, by the server, the email characteristics of the received email message with the email characteristics associated with the recipient/recipient organization, and/or the sender/sender organization; declaring, by the server, the received email message by the recipient/recipient organization as a phishing electronic message based on the outcome of the comparison; wherein the email characteristics are selected from the group consisting of network path used to reach a recipient/recipient organization, geography associated with IP address, email client software used by the sender/sender organization, email client software version used by the sender/sender organization, date, day of week, time, time period of the email, time zone of the sender/sender organization, presence and details of digital signatures in the email, meta data present in header portion of the email, character set used in content of the email, format of the email, email length and subject length, character case of the email, character case of the subject, style of introduction at the top of the email, style and content of the sender/sender organization'"'"'s signature in the body of the email, other recipient/recipient organizations included in the email, to, and copy circulated (cc'"'"'d) email addresses, sender/sender organizations name, sender/sender organizations from and reply to email address, senders organization name, senders domain name, sender'"'"'s organization'"'"'s Domain Name Service (DNS) settings including SPF records, sender organization'"'"'s mail server information, including server ip address, sender/sender organization server network path, sender/sender organization email server software and software version. DKIM signature, spam scoring from spam software, message ID, volume of email sent by the sender/sender organization, volume of email sent by sender'"'"'s organization, volume of email received by the recipient, volume of email received by recipient organization, details associated with URLs or attachments in the email, whether the recipient/recipient organization has responded to this specific email, and number of interactions between sender and recipient associated with the email and the like; and allowing an administrator to select desired email characteristics to be included in the set of characteristics used for comparing the characteristics of the received email message and to assign a weight of how much each characteristic should influence the likelihood that a new message is a phishing message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A server implemented method for analyzing electronic messages for phishing detection comprising:
-
receiving, by the server, an email message by a recipient/recipient organization from a sender/sender organization; obtaining, by the server, email characteristics by parsing the received email message based on a set of predetermined email characteristics; comparing, by the server the email characteristics of the received email message with the email characteristics associated with the recipient/recipient organization, and/or the sender/sender organization; declaring, by the server, the received email message by the recipient/recipient organization as a phishing electronic message based on the outcome of the comparison; obtaining contact and background information associated with an email recipient/recipient organization from the recipient'"'"'s/recipient organizations'"'"' online social networks; storing the contact and background information in the database; upon receiving an email, determining whether the contact and background information in the received email is correct using the stored contact and background information; and using outcome of determination as a factor in declaring the received email as a phishing email. - View Dependent Claims (13, 14, 15)
-
-
16. A system for analyzing electronic messages for phishing detection, comprising:
-
one or more recipient'"'"'s/recipient organization'"'"'s email servers; one or more sender'"'"'s email clients; one or more recipient'"'"'s email clients; Intranet or Internet; a database; and one or more anti-phishing servers coupled to the database, and further the one or more anti-phishing servers coupled to the one or more recipient'"'"'s/recipient'"'"'s organization'"'"'s email servers, the one or more sender'"'"'s email clients, and/or the one or more recipient'"'"'s email clients via Internet or Intranet, wherein the email client plugin module attaches to one or more recipient'"'"'s email clients and wherein the anti-phishing server comprises; a processor; and a memory coupled to the processor, wherein the memory comprising a anti-phishing module, wherein the anti-phishing module comprises an import module, an analysis and data warehouse module, a mail handler module, an organizational analysis module, an outbound mail relay module, a configuration and management module that are configured to; receiving an email message from one or more sender/sender organizations by one or more recipients/recipient'"'"'s organization via the mail handler module; obtaining email characteristics by parsing the received email message based on a set of predetermined email characteristics by the analysis and data warehouse module; comparing the email characteristics of the received email message with email characteristics associated with the recipient/recipient organization and/or that sender/sender organization by the analysis and data warehouse module; and declaring the received email message by the recipient/recipient organization as a phishing electronic message based on the outcome of the comparison by the analysis and data warehouse module; wherein the email characteristics are selected from the group consisting of network path used to reach a recipient/recipient organization, geography associated with IP address, email client software used by the sender/sender organization, email client software version used by the sender/sender organization, date, day of week, time, time period of the email, time zone of the sender/sender organization, presence and details of digital signatures in the email, meta data present in header portion of the email, character set used in content of the email, format of the email, email length and subject length, character case of the email, character case of the subject, style of introduction at the top of the email, style and content of the sender/sender organization'"'"'s signature in the body of the email, other recipient/recipient organizations included in the email, to, and copy circulated (cc'"'"'d) email addresses, sender/sender organizations name, sender/sender organizations from and reply to email address, senders organization name, senders domain name, sender'"'"'s organization'"'"'s Domain Name Service (DNS) settings including SPF records, sender organization'"'"'s mail server information, including server ip address, sender/sender organization server network path, sender/sender organization email server software and software version, DKIM signature, spam scoring from spam software, message ID, volume of email sent by the sender/sender organization, volume of email sent by sender'"'"'s organization, volume of email received by the recipient, volume of email received by recipient organization, details associated with URLs or attachments in the email, whether the recipient/recipient organization has responded to this specific email, and number of interactions between sender and recipient associated with the email and the like; and wherein the configuration and management module allows an administrator to select desired email characteristics to be included in the set of characteristics used for comparing the characteristics of the received email message and to assign a weight of how much each characteristic should influence the likelihood that a new message is a phishing message. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A system for analyzing electronic messages for phishing detection, comprising:
-
one or more recipient'"'"'s/recipient organization'"'"'s email servers; one or more sender'"'"'s email clients; one or more recipient'"'"'s email clients; Intranet or Internet; a database; and one or more anti-phishing servers coupled to the database, and further the one or more anti-phishing servers coupled to the one or more recipient'"'"'s/recipient'"'"'s organization'"'"'s email servers, the one or more sender'"'"'s email clients, and/or the one or more recipient'"'"'s email clients via Internet or Intranet, wherein the email client plugin module attaches to one or more recipient'"'"'s email clients and wherein the anti-phishing server comprises; a processor; and a memory coupled to the processor, wherein the memory comprising a anti-phishing module, wherein the anti-phishing module comprises an import module, an analysis and data warehouse module, a mail handler module, an organizational analysis module, an outbound mail relay module, a configuration and management module that are configured to; receiving an email message from one or more sender/sender organizations by one or more recipients/recipient'"'"'s organization via the mail handler module; obtaining email characteristics by parsing the received email message based on a set of predetermined email characteristics by the analysis and data warehouse module; comparing the email characteristics of the received email message with email characteristics associated with the recipient/recipient organization and/or that sender/sender organization by the analysis and data warehouse module; declaring the received email message by the recipient/recipient organization as a phishing electronic message based on the outcome of the comparison by the analysis and data warehouse module; and wherein the email client plugin module along with the configuration and management module obtains contact and background information associated with an email recipient from the recipient'"'"'s online social networks, wherein analysis and data warehouse module stores the contact and background information in the database, wherein the analysis and data ware house module, upon receiving an email, determines whether the contact and background information in the received email is correct using the stored contact and background information, and wherein analysis and data warehouse module uses the outcome of the above determination as a factor in declaring the received email as phishing email. - View Dependent Claims (28, 29, 30)
-
Specification