Methods and systems for phishing detection
First Claim
1. A method of determining a probability that a received email comprises a phishing attempt, comprising:
- receiving an email,analyzing a link within the email to determine whether the link comprises a phishing attempt by;
comparing at least some features of the link with records stored in a remote database to determine whether the link comprises a phishing attempt and determining that the link comprises a phishing attempt if the compared features match the records stored in the remote database;
building a multi-dimensional input vector from at least features of the link if the compared features do not match the records stored in the remote database and evaluating a plurality of the features of the link to set or reset at least one bit of the multi-dimensional input vector;
inputting the built multi-dimensional input vector into a phishing probability engine;
computing, in the phishing probability engine, a probability that the link comprises a phishing attempt; and
acting upon the received email depending upon the computed probability that the link comprises a phishing attempt.
5 Assignments
0 Petitions
Accused Products
Abstract
A method of determining a probability that a received email comprises a phishing attempt may comprise analyzing a link therein to determine whether the link comprises a phishing attempt. This determination may comprise comparing features of the link with records stored in a remote database to determine whether the link comprises a phishing attempt. It may be determined that the link comprises a phishing attempt if there is a match. If the compared features do not match the records stored in the remote database, a multi-dimensional input vector may be built from features of the link, which input vector may then be input into a phishing probability engine. The probability that the link comprises a phishing attempt may be computed by the phishing probability engine. Thereafter, the received email may be acted upon according to the computed probability that the link comprises a phishing attempt.
-
Citations
24 Claims
-
1. A method of determining a probability that a received email comprises a phishing attempt, comprising:
-
receiving an email, analyzing a link within the email to determine whether the link comprises a phishing attempt by; comparing at least some features of the link with records stored in a remote database to determine whether the link comprises a phishing attempt and determining that the link comprises a phishing attempt if the compared features match the records stored in the remote database; building a multi-dimensional input vector from at least features of the link if the compared features do not match the records stored in the remote database and evaluating a plurality of the features of the link to set or reset at least one bit of the multi-dimensional input vector; inputting the built multi-dimensional input vector into a phishing probability engine; computing, in the phishing probability engine, a probability that the link comprises a phishing attempt; and acting upon the received email depending upon the computed probability that the link comprises a phishing attempt. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computing device configured to determine a probability that a received email comprises a phishing attempt, comprising:
-
at least one processor; at least one data storage device coupled to the at least one processor; a plurality of processes spawned by said at least one processor, the processes including processing logic for; receiving an email, analyzing a link within the email to determine whether the link comprises a phishing attempt by; comparing at least some features of the link with records stored in a remote database to determine whether the link comprises a phishing attempt and determining that the link comprises a phishing attempt if the compared features match the records stored in the remote database; building a multi-dimensional input vector from at least features of the link if the compared features do not match the records stored in the remote database and evaluating a plurality of the features of the link to set or reset at least one bit of the multi-dimensional input vector; inputting the built multi-dimensional input vector into a phishing probability engine; computing, in the phishing probability engine, a probability that the link comprises a phishing attempt; and acting upon the received email depending upon the computed probability that the link comprises a phishing attempt. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification