Collaborative phishing attack detection

US 9,253,207 B2
Filed: 02/08/2013
Issued: 02/02/2016
Est. Priority Date: 02/08/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

generating, by a network device, a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message;

electronically storing, by the network device, the predetermined identifier in a computerized data store;

receiving, by the network device from a computing device associated with an individual, a notification triggered by a user action by the individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;

determining, by the network device, whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the body of the message or to the metadata of the message;

if the message is identified by the individual as a simulated phishing attack, recording in a database that the individual has correctly identified the message as a possible phishing attack;

if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, determining, at the network device, whether the identified message may be a threat based on at least whether the individual has correctly identified a previous message as a possible phishing attack;

processing, by the network device, the message based on the determination of whether the identified message may be a threat.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are methods, network devices and machine-readable storage media for detecting whether a message is a phishing attack based on the collective responses from one or more individuals who have received that message. The individuals may flag the message as a possible phishing attack, and/or may provide a numerical ranking indicating the likelihood that the message is a possible phishing attack. As responses from different individuals may have a different degree of reliability, each response from an individual may be weighted with a corresponding trustworthiness level of that individual, in an overall determination as to whether a message is a phishing attack. A trustworthiness level of an individual may indicate a degree to which the response of that individual can be trusted and/or relied upon, and may be determined by how well that individual recognized simulated phishing attacks.

241 Citations

20 Claims

1. A method, comprising:
- generating, by a network device, a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message;
  
  electronically storing, by the network device, the predetermined identifier in a computerized data store;
  
  receiving, by the network device from a computing device associated with an individual, a notification triggered by a user action by the individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
  
  determining, by the network device, whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the body of the message or to the metadata of the message;
  
  if the message is identified by the individual as a simulated phishing attack, recording in a database that the individual has correctly identified the message as a possible phishing attack;
  
  if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, determining, at the network device, whether the identified message may be a threat based on at least whether the individual has correctly identified a previous message as a possible phishing attack;
  
  processing, by the network device, the message based on the determination of whether the identified message may be a threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein processing the message based on a trustworthiness level of the individual further comprises forwarding the message to a computer security technician for analysis to determine if the message is a real phishing attack or not.
  - 3. The method of claim 1, wherein a trustworthiness level of the individual is based on a rating assigned to the individual within a social network of the individual.
  - 4. The method of claim 1, wherein if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, classifying or not classifying the message as a real phishing attack based on a trustworthiness level the individual.
  - 5. The method of claim 4, wherein if the trustworthiness level of the individual exceeds a threshold, classifying the message as a real phishing attack, otherwise, not classifying the message as a real phishing attack.
  - 6. The method of claim 1, further comprising calculating a numerical value indicative of a likelihood the message is a real phishing attack based on a trustworthiness level of the individual.
  - 7. The method of claim 1, further comprising:
    - calculating an average of trustworthiness level of multiple individuals who have triggered a notification of the message; and
      
      comparing the average with a threshold to classify or not classify the message as a real phishing attack.
  - 8. The method of claim 1, wherein a trustworthiness level of the individual is based on one or more of a percentage of simulated phishing attacks that the individual correctly identified as a possible phishing attack, a percentage of simulated phishing attacks that the individual ignored, and a percentage of simulated phishing attacks that the individual fell victim to.
  - 9. The method of claim 1, wherein a trustworthiness level of the individual is based on a sophistication level of a simulated phishing attack received by the individual.
  - 10. The method of claim 9, wherein the individual correctly identifying a more sophisticated simulated phishing attack results in a higher trustworthiness level for the individual, as compared to the individual correctly identifying a less sophisticated simulated phishing attack.

11. A system comprising:
- a processor;
  
  a storage device connected to the processor;
  
  a network server device; and
  
  a set of instructions on the storage device that, when executed by the processor, cause the processor perform the steps of;
  
  generating, by the processor, a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message;
  
  electronically storing, on the storage device, the predetermined identifier in a computerized data store;
  
  receiving, by the processor from a computing device associated with an individual, a notification triggered by a user action by the individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
  
  determining, by the processor, whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the body of the message or to the metadata of the message;
  
  if the message is identified by the individual as a simulated phishing attack, recording in a database that the individual has correctly identified the message as a possible phishing attack;
  
  if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, determining, at the processor, whether the identified message may be a threat based on at least whether the individual has correctly identified a previous message as a possible phishing attack; and
  
  processing, by the processor, the message based on the determination of whether the identified message may be a threat.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, wherein if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, classifying or not classifying the message as a real phishing attack based on a trustworthiness level the individual.
  - 13. The system of claim 11, wherein if the trustworthiness level of the individual exceeds a threshold, classifying the message as a real phishing attack, otherwise, not classifying the message as a real phishing attack.
  - 14. The system of claim 11, further comprising calculating a numerical value indicative of a likelihood the message is a real phishing attack based on the trustworthiness level of the individual.

15. A non-transitory computer-readable recording medium storing a simulated phishing message administration computer program, the simulated phishing message administration computer program causing a processor to perform steps comprising:
- generating, by a network device, a simulated phishing message, the message comprising a predetermined identifier in the message or in metadata of the message;
  
  electronically storing, by the network device, the predetermined identifier in a computerized data store;
  
  receiving, by the network device from a computing device associated with an individual, a notification triggered by a user action by the individual that a message delivered in an account associated with the individual has been identified by the individual as a possible phishing attack;
  
  determining, by the network device, whether the identified message is a known simulated phishing attack by comparing the predetermined identifier to an identifier from the body of the message or to the metadata of the message;
  
  if the message is identified by the individual as a simulated phishing attack, recording in a database that the individual has correctly identified the message as a possible phishing attack;
  
  if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, determining, at the network device, whether the identified message may be a threat based on at least whether the individual has correctly identified a previous message as a possible phishing attack; and
  
  processing, by the network device, the message based on the determination of whether the identified message may be a threat.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable recording medium of claim 15, wherein if the message is determined not to be a known simulated phishing attack based on the comparison of the identifier, classifying or not classifying the message as a real phishing attack based on a trustworthiness level the individual.
  - 17. The non-transitory computer-readable recording medium of claim 15, wherein if a trustworthiness level of the individual exceeds a threshold, classifying the message as a real phishing attack, otherwise, not classifying the message as a real phishing attack.
  - 18. The non-transitory computer-readable recording medium of claim 15, further comprising calculating a numerical value indicative of a likelihood the message is a real phishing attack based on a trustworthiness level of the individual.
  - 19. The non-transitory computer-readable recording medium of claim 15, further comprising:
    - calculating an average of trustworthiness level of multiple individuals who have triggered a notification of the message; and
      
      comparing the average with a threshold to classify or not classify the message as a real phishing attack.
  - 20. The non-transitory computer-readable recording medium of claim 15, wherein a trustworthiness level of the individual is based on one or more of a percentage of simulated phishing attacks that the individual correctly identified as a possible phishing attack, a percentage of simulated phishing attacks that the individual ignored, and a percentage of simulated phishing attacks that the individual fell victim to.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cofense, Inc.
Original Assignee
PhishMe Incorporated
Inventors
Higbee, Aaron, Belani, Rohyt, Greaux, Scott
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
GRACIA, GARY S

Application Number

US13/763,538
Publication Number

US 20140230050A1
Time in Patent Office

1,089 Days
Field of Search

726/22
US Class Current

1/1
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1475   Passive attacks, e.g. eaves...

H04L 63/1483   service impersonation, e.g....

Collaborative phishing attack detection

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

241 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Collaborative phishing attack detection

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

241 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links