Systems and methods for identifying potentially malicious messages
First Claim
Patent Images
1. A computer-implemented method for detecting a spoofing situation with respect to one or more electronic communications, the method comprising:
- receiving an electronic communication through a network interface addressed to a recipient;
storing the electronic communication in computer memory;
determining, by one or more processors and prior to the communication being provided to the recipient, that the electronic communication includes a link associated with a description of a first entity and that the link links to first content represented as particular content of the first entity, wherein the first content includes a first set of elements;
identifying a legitimate version of the particular content including a second set of elements, wherein identifying the legitimate version includes identifying a first fingerprint of one or more elements from the legitimate version;
generating a second fingerprint, wherein the second fingerprint is a fingerprint of one or more elements from the first content;
determining a degree of match between the first and second sets of elements based at least in part on a comparison of the second fingerprint with the first fingerprint, wherein determining the degree of match includes determining whether one or more elements of the first set of elements originate from a second entity different from the first entity;
detecting, by the one or more processors, prior to the communication being provided to the recipient that a spoofing situation exists with respect to the received electronic communication based upon the determined degree of match; and
in response to detecting that a spoofing situation exists, blocking the communication from being provided to the recipient.
14 Assignments
0 Petitions
Accused Products
Abstract
Computer-implemented systems and methods for identifying illegitimate messaging activity on a system using a network of sensors.
684 Citations
23 Claims
-
1. A computer-implemented method for detecting a spoofing situation with respect to one or more electronic communications, the method comprising:
-
receiving an electronic communication through a network interface addressed to a recipient; storing the electronic communication in computer memory; determining, by one or more processors and prior to the communication being provided to the recipient, that the electronic communication includes a link associated with a description of a first entity and that the link links to first content represented as particular content of the first entity, wherein the first content includes a first set of elements; identifying a legitimate version of the particular content including a second set of elements, wherein identifying the legitimate version includes identifying a first fingerprint of one or more elements from the legitimate version; generating a second fingerprint, wherein the second fingerprint is a fingerprint of one or more elements from the first content; determining a degree of match between the first and second sets of elements based at least in part on a comparison of the second fingerprint with the first fingerprint, wherein determining the degree of match includes determining whether one or more elements of the first set of elements originate from a second entity different from the first entity; detecting, by the one or more processors, prior to the communication being provided to the recipient that a spoofing situation exists with respect to the received electronic communication based upon the determined degree of match; and in response to detecting that a spoofing situation exists, blocking the communication from being provided to the recipient. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method of detecting illegitimate traffic originating from a domain, the method comprising:
-
deploying a plurality of sensor devices at a plurality of associated nodes on the Internet; gathering messaging information from the plurality of sensor devices, wherein the messaging information describes messages originating from a set of domains including the domain; correlating a portion of the gathered messaging information for the domain; determining from the correlation whether a probable security condition exists with regard to the domain, wherein the determining the probable security condition comprises; comparing legitimate content of the domain with content contained in the gathered messaging information to identify that a volume of messages described in the received messaging information includes content that does not match the legitimate content, wherein the comparing includes; identifying a first fingerprint of one or more elements from the legitimate content; generating a second fingerprint, wherein the second fingerprint is a fingerprint of one or more elements from the content contained in the gathered messaging information; and comparing the second fingerprint with the first fingerprint; signaling the probable security condition based at least in part on identifying that the volume of messages includes content that does not match the legitimate content; and alerting an owner or an internet service provider associated with the domain of the probable security condition with regard to the domain. - View Dependent Claims (19, 20, 21, 22)
-
-
23. A method of detecting illegitimate traffic originating from a domain, the method comprising:
-
deploying a plurality of sensor devices at a plurality of associated nodes on the Internet; gathering messaging information from the plurality of sensor devices, wherein the messaging information describes messages originating from a set of IP addresses including a particular IP address; correlating a portion of the gathered messaging information for the particular IP address; identifying a particular entity associated with the particular IP address; determining from the correlation whether a probable security condition exists with regard to the particular IP address, wherein the determining step comprises; comparing legitimate content of the particular entity with content contained in the gathered messaging information to identify that a volume of messages described in the received messaging information includes content that does not match the legitimate content, wherein the comparing includes; identifying a first fingerprint of one or more elements from the legitimate content; generating a second fingerprint, wherein the second fingerprint is a fingerprint of one or more elements from the content contained in the gathered messaging information; and comparing the second fingerprint with the first fingerprint; signaling the probable security condition based at least in part on identifying that the volume of messages includes content that does not match the legitimate content; and alerting an owner associated with the particular IP address or an internet service provider associated with the IP address of the probable security condition with regard to the particular IP address.
-
Specification