Determining risk exposure and avoiding fraud using a collection of terms

US 9,245,115 B1
Filed: 02/12/2013
Issued: 01/26/2016
Est. Priority Date: 02/13/2012
Status: Expired due to Fees

- Alert
- Pin

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive an electronic communication;

obtain, from a data store, a first collection of terms, wherein;

the first collection of terms corresponds to a first attack strategy;

the first attack strategy is associated with a plurality of narrative points, wherein the plurality of narrative points comprises a plurality of equivalence classes;

each narrative point of the first attack strategy is associated with a corresponding group of terms representative of the narrative point;

the groups of terms corresponding to the narrative points collectively comprise the first collection of terms; and

a second attack strategy that is different from the first attack strategy is associated with a second collection of terms;

evaluate the received communication to determine whether the received communication is indicative of the first attack strategy, wherein the evaluating includes;

for each narrative point of the first attack strategy, determining whether the received communication includes the presence of one or more terms matching to the group of terms corresponding to the narrative point;

determining whether the received communication includes the presence of terms matching to a threshold number of narrative points; and

determining whether terms present in the communication that match to the narrative points of the first attack strategy occur in a particular order; and

classify the received communication based at least in part on the evaluation; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

Classification of electronic communications includes receiving an electronic communication, evaluating the received communication against a collection of terms, and classifying the received communication based at least in part on the evaluation. The collection of terms is representative of a particular strategy of an attacker. The evaluation includes determining a presence of a portion of the collection of terms in the electronic communication.

Citations

21 Claims

1. A system, comprising:
- a processor configured to;
  
  receive an electronic communication;
  
  obtain, from a data store, a first collection of terms, wherein;
  
  the first collection of terms corresponds to a first attack strategy;
  
  the first attack strategy is associated with a plurality of narrative points, wherein the plurality of narrative points comprises a plurality of equivalence classes;
  
  each narrative point of the first attack strategy is associated with a corresponding group of terms representative of the narrative point;
  
  the groups of terms corresponding to the narrative points collectively comprise the first collection of terms; and
  
  a second attack strategy that is different from the first attack strategy is associated with a second collection of terms;
  
  evaluate the received communication to determine whether the received communication is indicative of the first attack strategy, wherein the evaluating includes;
  
  for each narrative point of the first attack strategy, determining whether the received communication includes the presence of one or more terms matching to the group of terms corresponding to the narrative point;
  
  determining whether the received communication includes the presence of terms matching to a threshold number of narrative points; and
  
  determining whether terms present in the communication that match to the narrative points of the first attack strategy occur in a particular order; and
  
  classify the received communication based at least in part on the evaluation; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 21)
- - 2. The system of claim 1 wherein the processor is further configured to perform a language detection on the received communication.
  - 3. The system of claim 2 wherein the language detection is performed based at least in part on a detection of the presence of a set of terms.
  - 4. The system of claim 1 wherein the processor is further configured to determine that the received electronic communication is associated with at least one additional message.
  - 5. The method of claim 4 wherein the processor is further configured to classify the received communication at least in part by examining the received communication and the additional message in the aggregate.
  - 6. The system of claim 1 wherein classifying includes determining a distance between terms as they appear in the communication.
  - 7. The system of claim 1 wherein the first collection of terms is determined in response to an evaluation by a plurality of workers of a fraudulent communication.
  - 8. The system of claim 1 wherein the first collection of terms is determined based at least in part on a prior classification by a server of a message as fraudulent.
  - 9. The system of claim 1 wherein the first collection of terms includes, for at least one term in the collection, a set of equivalent terms.
  - 10. The system of claim 9 wherein the processor is substitute a term in the set of equivalent terms for a term appearing in the communication.
  - 11. The system of claim 1 wherein a term includes at least one letter and at least one number.
  - 12. The system of claim 1 wherein the processor is configured to analyze a portion of an email address associated with the communication and to select a collection of terms for use in classification based at least in part on the analyzed address.
  - 13. The system of claim 1 wherein the communication is received from a honeypot.
  - 14. The system of claim 1 wherein the communication is classified in accordance with a tertiary classification scheme.
  - 15. The system of claim 1 wherein the processor is further configured to receive, from at least one human reviewer, a classification of the communication.
  - 16. The system of claim 1 wherein the classifying is performed by using a set of rules.
  - 17. The system of claim 1 wherein the classifying is performed at least in part by using a support vector machine.
  - 18. The system of claim 1 wherein the classifying is performed at least in part by using an artificial intelligence computation.
  - 21. The system of claim 15 wherein the reviewer is associated with a reputation.

19. A method of, comprising:
- receiving an electronic communication;
  
  obtaining, from a data store, a first collection of terms, wherein;
  
  the first collection of terms corresponds to a first attack strategy;
  
  the first attack strategy is associated with a plurality of narrative points,wherein the plurality of narrative points comprises a plurality of equivalence classes;
  
  each narrative point of the first attack strategy is associated with a corresponding group of terms representative of the narrative point;
  
  the groups of terms corresponding to the narrative points collectively comprise the first collection of terms; and
  
  a second attack strategy that is different from the first attack strategy is associated with a second collection of terms;
  
  evaluating, using a processor, the received communication to determine whether the received communication is indicative of the first attack strategy, wherein the evaluating includes;
  
  for each narrative point of the first attack strategy, determining whether the received communication includes the presence of one or more terms matching to the group of terms corresponding to the narrative point;
  
  determining whether the received communication includes the presence of terms matching to a threshold number of narrative points; and
  
  determining whether terms present in the communication that match to the narrative points of the first attack strategy occur in a particular order; and
  
  classifying the received communication based at least in part on the evaluation.

20. A computer program product embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
- receiving an electronic communication;
  
  obtaining, from a data store, a first collection of terms, wherein;
  
  the first collection of terms corresponds to a first attack strategy;
  
  the first attack strategy is associated with a plurality of narrative points,wherein the plurality of narrative points comprises a plurality of equivalence classes;
  
  each narrative point of the first attack strategy is associated with a corresponding group of terms representative of the narrative point;
  
  the groups of terms corresponding to the narrative points collectively comprise the first collection of terms; and
  
  a second attack strategy that is different from the first attack strategy is associated with a second collection of terms;
  
  evaluating the received communication to determine whether the received communication is indicative of the first attack strategy, wherein the evaluating includes;
  
  for each narrative point of the first attack strategy, determining whether the received communication includes the presence of one or more terms matching to the group of terms corresponding to the narrative point;
  
  determining whether the received communication includes the presence of terms matching to a threshold number of narrative points; and
  
  determining whether terms present in the communication that match to the narrative points of the first attack strategy occur in a particular order; and
  
  classifying the received communication based at least in part on the evaluation.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
ZapFraud, Inc. (Bjorn Markus Jakobsson)
Original Assignee
ZapFraud, Inc. (Bjorn Markus Jakobsson)
Inventors
Jakobsson, Bjorn Markus
Primary Examiner(s)
Okeke, Izunna
Assistant Examiner(s)
Wright, Bryan

Application Number

US13/765,635
Time in Patent Office

1,078 Days
Field of Search

726/22
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/1408   by monitoring network traff...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Determining risk exposure and avoiding fraud using a collection of terms

First Claim

1 Assignment

Litigations

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Determining risk exposure and avoiding fraud using a collection of terms

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links