Collaborative phishing attack detection

US 8,719,940 B1
Filed: 03/05/2013
Issued: 05/06/2014
Est. Priority Date: 02/08/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at a first computer system, a notification that a message has been identified by one or more individuals as a possible phishing attack, the message having been received on a computing device of each of the one or more individuals;

determining, by the first computer system, whether the message is a known simulated phishing attack; and

if the message is a known simulated phishing attack, recording in a database that each of the one or more individuals has correctly identified the message as a possible phishing attack;

otherwise,if the message is not a known simulated phishing attack,determining, by the first computer system, a trustworthiness level for each of the one or more individuals; and

processing, by the first computer system, the message based on the trustworthiness level of each of the one or more individuals to classify or not classify the message as a real phishing attack, wherein for a first one of the one or more individuals, the trustworthiness level of the first individual is based on one or more of;

a percentage of simulated phishing attacks that the first individual correctly identified as a possible phishing attack,a percentage of simulated phishing attacks that the first individual ignored,a percentage of simulated phishing attacks that the first individual fell victim to, a sophistication level of a simulated phishing attack received by the first individual,a type of simulated phishing attack received by the first individual, a number of simulated phishing attacks that the first individual correctly identified as a possible phishing attack,a number of simulated phishing attacks that the first individual ignored, and a number of simulated phishing attacks that the first individual fell victim to,a number of real phishing attacks that the first individual correctly identified as a possible phishing attack,a number of real phishing attacks that the first individual ignored,a number of real phishing attacks that the first individual fell victim to,a field of employment of the first individual,an educational degree of the first individual,a job position of the first individual, andan employment history of the first individual.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are methods, network devices and machine-readable storage media for detecting whether a message is a phishing attack based on the collective responses from one or more individuals who have received that message. The individuals may flag the message as a possible phishing attack, and/or may provide a numerical ranking indicating the likelihood that the message is a possible phishing attack. As responses from different individuals may have a different degree of reliability, each response from an individual may be weighted with a corresponding trustworthiness level of that individual, in an overall determination as to whether a message is a phishing attack. A trustworthiness level of an individual may indicate a degree to which the response of that individual can be trusted and/or relied upon, and may be determined by how well that individual recognized simulated phishing attacks.

277 Citations

15 Claims

1. A method, comprising:
- receiving, at a first computer system, a notification that a message has been identified by one or more individuals as a possible phishing attack, the message having been received on a computing device of each of the one or more individuals;
  
  determining, by the first computer system, whether the message is a known simulated phishing attack; and
  
  if the message is a known simulated phishing attack, recording in a database that each of the one or more individuals has correctly identified the message as a possible phishing attack;
  
  otherwise,if the message is not a known simulated phishing attack,determining, by the first computer system, a trustworthiness level for each of the one or more individuals; and
  
  processing, by the first computer system, the message based on the trustworthiness level of each of the one or more individuals to classify or not classify the message as a real phishing attack, wherein for a first one of the one or more individuals, the trustworthiness level of the first individual is based on one or more of;
  
  a percentage of simulated phishing attacks that the first individual correctly identified as a possible phishing attack,a percentage of simulated phishing attacks that the first individual ignored,a percentage of simulated phishing attacks that the first individual fell victim to, a sophistication level of a simulated phishing attack received by the first individual,a type of simulated phishing attack received by the first individual, a number of simulated phishing attacks that the first individual correctly identified as a possible phishing attack,a number of simulated phishing attacks that the first individual ignored, and a number of simulated phishing attacks that the first individual fell victim to,a number of real phishing attacks that the first individual correctly identified as a possible phishing attack,a number of real phishing attacks that the first individual ignored,a number of real phishing attacks that the first individual fell victim to,a field of employment of the first individual,an educational degree of the first individual,a job position of the first individual, andan employment history of the first individual.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein a single graphical user interface action performed by a first one of the one or more individuals is sufficient to trigger the notification to be sent from the computing device of the first individual.
  - 3. The method of claim 1, wherein determining whether the message is a known simulated phishing attack comprises comparing characteristics of the message with a log of transmitted simulated phishing attacks.
  - 4. The method of claim 3, wherein characteristics of the message include one or more of a sender identifier of the message, a recipient identifier of the message, a subject of the message, a time of transmission of the message, and a header of the message.
  - 5. The method of claim 1, wherein determining whether the message is a known simulated phishing attack comprises analyzing characteristics of the message at a client-side plug-in.
  - 6. The method of claim 1, wherein determining whether the message is a known simulated phishing attack comprises comparing the message with simulated phishing attacks.
  - 7. The method of claim 1, wherein the first individual correctly identifying a more sophisticated simulated phishing attack results in a higher trustworthiness level for the first individual, as compared to the first individual correctly identifying a less sophisticated simulated phishing attack.
  - 8. The method of claim 1, wherein for a first one of the one or more individuals, the trustworthiness level of the first individual is based on a rating assigned to the first individual by each person within a social network of the first individual.
  - 9. The method of claim 1, wherein processing the message comprises classifying or not classifying the message as a real phishing attack based on the trustworthiness level of each of the one or more individuals.
  - 10. The method of claim 9, wherein the one or more individuals consists of a single individual and if the trustworthiness level of the single individual exceeds a threshold, classifying the message as a real phishing attack, otherwise, not classifying the message as a real phishing attack.
  - 11. The method of claim 9, wherein the one or more individuals comprises more than one individual, and if an average of the trustworthiness levels exceeds a threshold, classifying the message as a real phishing attack, otherwise, not classifying the message as a real phishing attack.
  - 12. The method of claim 9, wherein the one or more individuals comprises more than one individual, and further determining a maximum value of the trustworthiness levels and wherein, if the maximum value exceeds a threshold, classifying the message as a real phishing attack, otherwise, not classifying the message as a real phishing attack.
  - 13. The method of claim 9, wherein the one or more individuals comprises more than one individual, and further determining a number of the individuals with a trustworthiness level above a first threshold and wherein, if the number exceeds a second threshold, classifying the message as a real phishing attack, otherwise, not classifying the message as a real phishing attack.
  - 14. The method of claim 1, wherein processing the message comprises calculating a numerical value indicative of a likelihood the message is a real phishing attack based on the trustworthiness level of each of the one or more individuals.

15. A method, comprising:
- receiving, at a first computer system, a notification that a message has been identified by one or more individuals as a possible phishing attack, the message having been received on a computing device of each of the one or more individuals;
  
  determining, by the first computer system, whether the message is a known simulated phishing attack; and
  
  if the message is a known simulated phishing attack, recording in a database that each of the one or more individuals has correctly identified the message as a possible phishing attack;
  
  otherwise,if the message is not a known simulated phishing attack,determining, by the first computer system, a trustworthiness level for each of the one or more individuals; and
  
  processing, by the first computer system, the message based on the trustworthiness level of each of the one or more individuals to classify or not classify the message as a real phishing attack, wherein the one or more individuals comprises more than one individual, and if an average of the trustworthiness levels exceeds a threshold, classifying the message as a real phishing attack, otherwise, not classifying the message as a real phishing attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cofense, Inc.
Original Assignee
PhishMe Incorporated
Inventors
Higbee, Aaron, Belani, Rohyt, Greaux, Scott
Primary Examiner(s)
Gee, Jason K.
Assistant Examiner(s)
LWIN, MAUNG T

Application Number

US13/785,252
Time in Patent Office

427 Days
Field of Search
US Class Current

726/24
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1475   Passive attacks, e.g. eaves...

H04L 63/1483   service impersonation, e.g....

Collaborative phishing attack detection

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

277 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Collaborative phishing attack detection

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

277 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links