Systems and methods for identifying potentially malicious messages

US 8,578,480 B2
Filed: 06/09/2006
Issued: 11/05/2013
Est. Priority Date: 03/08/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting a spoofing situation with respect to one or more electronic communications, the method comprising:

receiving an electronic communication through a network interface addressed to a recipient;

storing the electronic communication in computer memory;

determining, by one or more processors and prior to the communication being provided to the recipient, that the electronic communication includes a link associated with a description of a first entity and that the link links to first content represented as particular content of the first entity, wherein the first content includes a first set of elements;

identifying a legitimate version of the particular content including a second set of elements, wherein identifying the legitimate version includes identifying a first fingerprint of one or more elements from the legitimate version;

generating a second fingerprint, wherein the second fingerprint is a fingerprint of one or more elements from the first content;

determining a degree of match between the first and second sets of elements based at least in part on a comparison of the second fingerprint with the first fingerprint, wherein determining the degree of match includes determining whether one or more elements of the first set of elements originate from a second entity different from the first entity;

detecting, by the one or more processors, prior to the communication being provided to the recipient that a spoofing situation exists with respect to the received electronic communication based upon the determined degree of match; and

in response to detecting that a spoofing situation exists, blocking the communication from being provided to the recipient.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented systems and methods for identifying illegitimate messaging activity on a system using a network of sensors.

684 Citations

23 Claims

1. A computer-implemented method for detecting a spoofing situation with respect to one or more electronic communications, the method comprising:
- receiving an electronic communication through a network interface addressed to a recipient;
  
  storing the electronic communication in computer memory;
  
  determining, by one or more processors and prior to the communication being provided to the recipient, that the electronic communication includes a link associated with a description of a first entity and that the link links to first content represented as particular content of the first entity, wherein the first content includes a first set of elements;
  
  identifying a legitimate version of the particular content including a second set of elements, wherein identifying the legitimate version includes identifying a first fingerprint of one or more elements from the legitimate version;
  
  generating a second fingerprint, wherein the second fingerprint is a fingerprint of one or more elements from the first content;
  
  determining a degree of match between the first and second sets of elements based at least in part on a comparison of the second fingerprint with the first fingerprint, wherein determining the degree of match includes determining whether one or more elements of the first set of elements originate from a second entity different from the first entity;
  
  detecting, by the one or more processors, prior to the communication being provided to the recipient that a spoofing situation exists with respect to the received electronic communication based upon the determined degree of match; and
  
  in response to detecting that a spoofing situation exists, blocking the communication from being provided to the recipient.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the spoofing situation is a phishing situation wherein the link to the linked entity is a hyperlink to a website operated by the linked entity.
  - 3. The method of claim 2, wherein the linked entity is an attacker whose website, to which the hyperlink links, is configured for feigning association with the first entity and for acquiring confidential information from a user for illegitimate gain.
  - 4. The method of claim 1, wherein the first and second sets of elements include graphical elements.
  - 5. The method of claim 1, wherein generating the fingerprints includes use of a winnowing fingerprint approach.
  - 6. The method of claim 1, wherein the first and second sets of elements include image elements.
  - 7. The method of claim 1, wherein the degree of match includes a match selected from the group consisting of a complete match, strong match, partial match, totally incomplete match, and combinations thereof.
  - 8. The method of claim 1, further comprising:
    - storing a number of instances of legitimate and illegitimate usages based upon whether the fingerprint of the first content and the fingerprint of the legitimate version of the particular content match; and
      
      displaying statistics comparing the number of instances of legitimate usage versus the number of instances of illegitimate usages.
  - 9. The method of claim 1, wherein results of said detecting step are provided to a reputation system;
    - wherein the reputation system uses the provided results as part of its determination of what reputation should be ascribed to a sender of the electronic communication.
  - 10. The method of claim 1, wherein results of said detecting step are provided to a fraud database for correlation and aggregation.
  - 11. The method of claim 1, wherein an action is performed in response to results of said detecting step;
    - andwherein the action includes shutting down a website associated with the second entity.
  - 12. The method of claim 1, wherein a notification is provided to the first entity of results of said detecting step.
  - 13. The method of claim 1, further comprising:
    - determining whether a mismatch has occurred with an href attribute in the received electronic communication; and
      
      detecting whether a spoofing situation exists with respect to the received electronic communication based upon the determination with respect to the href attribute mismatch.
  - 14. The method of claim 1, wherein the electronic communication is a communication selected from the group consisting of an e-mail message, and instant message, an SMS communication, a VOIP communication, a WAP communication, and combinations thereof.
  - 15. The method of claim 1, further comprising:
    - responsive to detecting a spoofing situation exists, performing at least one of the steps comprising changing the reputation of the sender of the communication.
  - 16. The method of claim 1, wherein the step of detecting further comprises:
    - determining a reputation associated with a URL included in the communication;
      
      determining whether the age of the domain used in the URL is greater than a threshold;
      
      determining whether the owner of the domain/IP hosting a URL included in the communication matches the owner of an IP address associated with the communication; and
      
      determining whether an owner of a phone number associated with the communication matches a database of known spoofing phone numbers.
  - 17. The method of claim 1, wherein the first and second sets of elements include at least one of anchor text or an image.

18. A method of detecting illegitimate traffic originating from a domain, the method comprising:
- deploying a plurality of sensor devices at a plurality of associated nodes on the Internet;
  
  gathering messaging information from the plurality of sensor devices, wherein the messaging information describes messages originating from a set of domains including the domain;
  
  correlating a portion of the gathered messaging information for the domain;
  
  determining from the correlation whether a probable security condition exists with regard to the domain, wherein the determining the probable security condition comprises;
  
  comparing legitimate content of the domain with content contained in the gathered messaging information to identify that a volume of messages described in the received messaging information includes content that does not match the legitimate content, wherein the comparing includes;
  
  identifying a first fingerprint of one or more elements from the legitimate content;
  
  generating a second fingerprint, wherein the second fingerprint is a fingerprint of one or more elements from the content contained in the gathered messaging information; and
  
  comparing the second fingerprint with the first fingerprint;
  
  signaling the probable security condition based at least in part on identifying that the volume of messages includes content that does not match the legitimate content; and
  
  alerting an owner or an internet service provider associated with the domain of the probable security condition with regard to the domain.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The method of claim 18, wherein the determining step comprises:
    - comparing a list of company URLs contained in the gathered messaging information with an inventory of permitted URLs based upon one or more IP addresses associated with a particular entity associated with the domain; and
      
      if the list of company URLs contained in the received messaging information do not match the inventory of permitted URLs, signaling the probable security condition.
  - 20. The method of claim 18, wherein the determining step comprises:
    - comparing message traffic levels of multiple machines associated with the same domain, the messaging traffic levels being based on a messaging traffic level of messages from the domain; and
      
      if the message traffic levels of multiple machines associated with the samc domain display similar peak or similarly sporadic traffic levels during similar time periods, signaling the probable security condition.
  - 21. The method of claim 18, wherein the sensor devices collect information about messaging traffic which travels across the associated nodes without regard to the origin or destination of the messaging traffic.
  - 22. The method of claim 21, wherein the sensor devices collect information about all messaging traffic which travels across the associated nodes without regard to a protocol associated with the messaging traffic.

23. A method of detecting illegitimate traffic originating from a domain, the method comprising:
- deploying a plurality of sensor devices at a plurality of associated nodes on the Internet;
  
  gathering messaging information from the plurality of sensor devices, wherein the messaging information describes messages originating from a set of IP addresses including a particular IP address;
  
  correlating a portion of the gathered messaging information for the particular IP address;
  
  identifying a particular entity associated with the particular IP address;
  
  determining from the correlation whether a probable security condition exists with regard to the particular IP address, wherein the determining step comprises;
  
  comparing legitimate content of the particular entity with content contained in the gathered messaging information to identify that a volume of messages described in the received messaging information includes content that does not match the legitimate content, wherein the comparing includes;
  
  identifying a first fingerprint of one or more elements from the legitimate content;
  
  generating a second fingerprint, wherein the second fingerprint is a fingerprint of one or more elements from the content contained in the gathered messaging information; and
  
  comparing the second fingerprint with the first fingerprint;
  
  signaling the probable security condition based at least in part on identifying that the volume of messages includes content that does not match the legitimate content; and
  
  alerting an owner associated with the particular IP address or an internet service provider associated with the IP address of the probable security condition with regard to the particular IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Judge, Paul, Alperovitch, Dmitri, Krasser, Sven, Schneck, Phyllis Adele, Zdziarski, Jonathan Alexander
Primary Examiner(s)
SHEHNI, GHAZAL B

Application Number

US11/423,313
Publication Number

US 20060251068A1
Time in Patent Office

2,706 Days
Field of Search

726 22- 25, 713/188
US Class Current

726/22
CPC Class Codes

H04L 51/04   Real-time or near real-time...

H04L 51/212   using filtering or selectiv...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 67/00   Network arrangements or pro...

Systems and methods for identifying potentially malicious messages

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

684 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for identifying potentially malicious messages

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

684 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links