Methods and systems for phishing detection

US 9,398,047 B2
Filed: 11/17/2014
Issued: 07/19/2016
Est. Priority Date: 11/17/2014
Status: Active Grant

First Claim

Patent Images

1. A method of determining a probability that a received email comprises a phishing attempt, comprising:

receiving an email,analyzing a link within the email to determine whether the link comprises a phishing attempt by;

comparing at least some features of the link with records stored in a remote database to determine whether the link comprises a phishing attempt and determining that the link comprises a phishing attempt if the compared features match the records stored in the remote database;

building a multi-dimensional input vector from at least features of the link if the compared features do not match the records stored in the remote database and evaluating a plurality of the features of the link to set or reset at least one bit of the multi-dimensional input vector;

inputting the built multi-dimensional input vector into a phishing probability engine;

computing, in the phishing probability engine, a probability that the link comprises a phishing attempt; and

acting upon the received email depending upon the computed probability that the link comprises a phishing attempt.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of determining a probability that a received email comprises a phishing attempt may comprise analyzing a link therein to determine whether the link comprises a phishing attempt. This determination may comprise comparing features of the link with records stored in a remote database to determine whether the link comprises a phishing attempt. It may be determined that the link comprises a phishing attempt if there is a match. If the compared features do not match the records stored in the remote database, a multi-dimensional input vector may be built from features of the link, which input vector may then be input into a phishing probability engine. The probability that the link comprises a phishing attempt may be computed by the phishing probability engine. Thereafter, the received email may be acted upon according to the computed probability that the link comprises a phishing attempt.

Citations

24 Claims

1. A method of determining a probability that a received email comprises a phishing attempt, comprising:
- receiving an email,analyzing a link within the email to determine whether the link comprises a phishing attempt by;
  
  comparing at least some features of the link with records stored in a remote database to determine whether the link comprises a phishing attempt and determining that the link comprises a phishing attempt if the compared features match the records stored in the remote database;
  
  building a multi-dimensional input vector from at least features of the link if the compared features do not match the records stored in the remote database and evaluating a plurality of the features of the link to set or reset at least one bit of the multi-dimensional input vector;
  
  inputting the built multi-dimensional input vector into a phishing probability engine;
  
  computing, in the phishing probability engine, a probability that the link comprises a phishing attempt; and
  
  acting upon the received email depending upon the computed probability that the link comprises a phishing attempt.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the link comprises a Uniform Resource Locator (URL).
  - 3. The method of claim 1, wherein the features of the link comprise at least one of a domain name, a subdomain name, a path, a symbol, a keyword, a document title and a meta description.
  - 4. The method of claim 1, wherein at least some of the compared features are brand-specific and at least some of the compared features are not brand-specific.
  - 5. The method of claim 1, wherein building comprises building the multi-dimensional input vector from the features of the link and from content of the webpage pointed to by the link.
  - 6. The method of claim 1, wherein the phishing probability engine comprises a Support Vector Machine (SVM) classifier.
  - 7. The method of claim 6, further comprising training the SVM classifier with a corpus of non-phishing elements and phishing elements to generate a SVM model that is configured to be used by the phishing probability engine.
  - 8. The method of claim 7, wherein the corpus comprises elements that comprise a first file that comprises a hash of the link and a selected quantity and a second file that comprises a hash of contents of a webpage pointed to by the link and the selected quantity.
  - 9. The method of claim 8, wherein the hash comprises a message digest algorithm.
  - 10. The method of claim 1, further comprising attempting to identify a brand that is a focus of at least one of the received email and the link.
  - 11. The method of claim 1, wherein comparing is carried out with the remote database storing a plurality of records, each of which comprising a logical construct that defines a brand.
  - 12. The method of claim 10, wherein the logical construct is formatted as a Document Type Definition (DTD).

13. A computing device configured to determine a probability that a received email comprises a phishing attempt, comprising:
- at least one processor;
  
  at least one data storage device coupled to the at least one processor;
  
  a plurality of processes spawned by said at least one processor, the processes including processing logic for;
  
  receiving an email,analyzing a link within the email to determine whether the link comprises a phishing attempt by;
  
  comparing at least some features of the link with records stored in a remote database to determine whether the link comprises a phishing attempt and determining that the link comprises a phishing attempt if the compared features match the records stored in the remote database;
  
  building a multi-dimensional input vector from at least features of the link if the compared features do not match the records stored in the remote database and evaluating a plurality of the features of the link to set or reset at least one bit of the multi-dimensional input vector;
  
  inputting the built multi-dimensional input vector into a phishing probability engine;
  
  computing, in the phishing probability engine, a probability that the link comprises a phishing attempt; and
  
  acting upon the received email depending upon the computed probability that the link comprises a phishing attempt.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The computing device of claim 13, wherein the link comprises a Uniform Resource Locator (URL).
  - 15. The computing device of claim 13, wherein the features of the link comprise at least one of a domain name, a subdomain name, a path, a symbol, a keyword, a document title and a meta description.
  - 16. The computing device of claim 13, wherein at least some of the compared features are brand-specific and at least some of the compared features are not brand-specific.
  - 17. The computing device of claim 13, further comprising processing logic for building the multi-dimensional input vector from the features of the link and from content of the webpage pointed to by the link.
  - 18. The computing device of claim 13, wherein the phishing probability engine comprises a Support Vector Machine (SVM) classifier.
  - 19. The computing device of claim 18, further comprising processing logic for training the SVM classifier with a corpus of non-phishing elements and phishing elements to generate a SVM model that is configured to be used by the phishing probability engine.
  - 20. The computing device of claim 19, wherein the corpus comprises elements that comprise a first file that comprises a hash of the link and a selected quantity and a second file that comprises a hash of contents of a webpage pointed to by the link and the selected quantity.
  - 21. The computing device of claim 20, wherein the hash comprises a message digest algorithm.
  - 22. The computing device of claim 13, further comprising processing logic for attempting to identify a brand that is a focus of at least one of the received email and the link.
  - 23. The computing device of claim 13, wherein the remote database stores a plurality of records, each of which comprising a logical construct that defines a brand.
  - 24. The computing device of claim 23, wherein the logical construct is formatted as a Document Type Definition (DTD).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VADE USA Incorporated
Original Assignee
Vade Retro Technology Inc.
Inventors
Goutal, Sebastien
Primary Examiner(s)
LEUNG, ROBERT B

Application Number

US14/542,939
Publication Number

US 20160142439A1
Time in Patent Office

610 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06N 20/00   Machine learning

G06N 20/10   using kernel methods, e.g. ...

G06N 7/01   Probabilistic graphical mod...

H04L 51/212   using filtering or selectiv...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1483   service impersonation, e.g....

H04L 67/02   based on web technology, e....

Methods and systems for phishing detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for phishing detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links