Email spoofing detection via infrastructure machine learning

US 9,450,982 B1
Filed: 06/19/2015
Issued: 09/20/2016
Est. Priority Date: 06/19/2015
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising a hardware processor for detecting a spoofed information packet, the method comprising the steps of:

building a database from data values from predetermined designated fields of metadata from a previously received information packet and a currently received information packet, further including the steps of;

locating the predetermined designated fields within the metadata of the previously received information packet;

extracting a value from each of the predetermined designated fields within the metadata of the previously received information packet;

updating the database with each value extracted from the metadata of the previously received information packet and storing each extracted value into at least one data structure of a group of data structures within the database;

locating the predetermined designated fields within the metadata of the currently received information packet;

extracting a value from each of the predetermined designated fields of metadata of the currently received information packet;

updating the database with each value extracted from the currently received information packet and storing each extracted value from each of the predetermined designated fields of the currently received information packet into at least one of a data structure of the group of data structures within the database, such that each value extracted from the predetermined designated fields of the currently received information packet will be stored within a data structure of the group of data structures, which comprises a designation of the predetermined designated field from which the value was extracted;

the step of building the database further includes the predetermined designated fields comprise a from domain value, a sender domain value, a return-path domain value, an Internet Protocol address value, or combinations thereof;

wherein the group of data structures, comprise;

a first data structure comprising a from domain predetermined designated field designation value corresponding to an Internet Protocol address predetermined designated field designation value;

a second data structure comprising a sender domain predetermined designated field designation value corresponding to the Internet Protocol address predetermined designated field designation value;

a third data structure comprising a return-path domain predetermined designated field designation value corresponding to the Internet Protocol address predetermined designated field designation value;

a fourth data structure comprising the from domain predetermined designated field designation value corresponding to the return-path domain predetermined designated field designation value;

a fifth data structure comprising the sender domain predetermined designated field designation value corresponding to the return-path domain predetermined designated field designation value andgenerating, by the hardware processor, a spoofed score for the currently received information packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting a spoofed information packet, includes the steps of building a database from a data value from predetermined designated fields of metadata from a previously and currently received information packet, which includes locating the predetermined designated fields within the previously received information packet metadata; extracting a value from each of the predetermined designated fields; and updating the database with each value with storing each value into at least one data structure of a group of data structures within the database. The method also includes locating predetermined designated fields within metadata of the currently received information packet within data structures, extracting the values from the fields, updating the data base with values extracted and generating a spoofed score for the currently received information packet.

12 Citations

View as Search Results

19 Claims

1. A computer implemented method comprising a hardware processor for detecting a spoofed information packet, the method comprising the steps of:
- building a database from data values from predetermined designated fields of metadata from a previously received information packet and a currently received information packet, further including the steps of;
  
  locating the predetermined designated fields within the metadata of the previously received information packet;
  
  extracting a value from each of the predetermined designated fields within the metadata of the previously received information packet;
  
  updating the database with each value extracted from the metadata of the previously received information packet and storing each extracted value into at least one data structure of a group of data structures within the database;
  
  locating the predetermined designated fields within the metadata of the currently received information packet;
  
  extracting a value from each of the predetermined designated fields of metadata of the currently received information packet;
  
  updating the database with each value extracted from the currently received information packet and storing each extracted value from each of the predetermined designated fields of the currently received information packet into at least one of a data structure of the group of data structures within the database, such that each value extracted from the predetermined designated fields of the currently received information packet will be stored within a data structure of the group of data structures, which comprises a designation of the predetermined designated field from which the value was extracted;
  
  the step of building the database further includes the predetermined designated fields comprise a from domain value, a sender domain value, a return-path domain value, an Internet Protocol address value, or combinations thereof;
  
  wherein the group of data structures, comprise;
  
  a first data structure comprising a from domain predetermined designated field designation value corresponding to an Internet Protocol address predetermined designated field designation value;
  
  a second data structure comprising a sender domain predetermined designated field designation value corresponding to the Internet Protocol address predetermined designated field designation value;
  
  a third data structure comprising a return-path domain predetermined designated field designation value corresponding to the Internet Protocol address predetermined designated field designation value;
  
  a fourth data structure comprising the from domain predetermined designated field designation value corresponding to the return-path domain predetermined designated field designation value;
  
  a fifth data structure comprising the sender domain predetermined designated field designation value corresponding to the return-path domain predetermined designated field designation value andgenerating, by the hardware processor, a spoofed score for the currently received information packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method for detecting a spoofed information packet of claim 1 wherein:
    - the previously received information packet comprises previously received e-mail; and
      
      the currently received information packet comprises currently received e-mail.
  - 3. The method for detecting a spoofed information packet of claim 1, wherein the Internet Protocol address value is a last hop server address value, wherein the last hop server address value is transmitted to a receiving spoof detection server.
  - 4. The method for detecting a spoofed information packet of claim 1, wherein the step of updating the database with extracted values from each extracted value from each of the predetermined designated fields the metadata of the previously received information packet or e-mail, further comprises:
    - the step of storing a from domain value, a sender domain value and a return-path domain value, extracted from the previously received information packet, such that the from domain value is stored in the from domain predetermined designated field designation value of first data structure, the sender domain value is stored in the sender domain predetermined designated field designation value of the second data structure, and the return-path domain value is stored within the return-path domain value predetermined designated field designation value of the third data structure respectively, and an extracted value of an Internet Protocol address value, extracted from the previously received information packet, is stored in each of the first, second and third data structures in the Internet Protocol address predetermined designated field designation value respectively, in correspondence with each of the stored from domain, sender domain and return-path domain values; and
      
      storing the from domain value in the fourth data structure in the from domain predetermined designated field designation value and the sender domain value in the fifth data structure in the sender domain predetermined designated field designation value, and storing the return-path domain value in the fourth and fifth data structures in the return-path domain predetermined designated field designation values of the fourth and fifth data structures, corresponding to the stored from and sender domain values, respectively.
  - 5. The method for detecting a spoofed information packet of claim 1, wherein the step of updating the database with extracted values from each extracted value from each of the predetermined designated fields the metadata of the currently received information packet or e-mail comprises the steps of:
    - storing a from domain value, a sender domain value and a return-path domain value in the from domain extracted from the currently received information packet, such that the from domain value is store in the from domain predetermined designated field designation value of first data structure, in the sender domain predetermined designated field designation value, and in the return-path domain predetermined designated field designation value of the third data structure, respectively, and an extracted value of an Internet Protocol address value is stored in each of the first, second and third data structures in the Internet Protocol address predetermined designated field designation value in correspondence with each of the stored from domain, sender domain and return-path domain values, respectively; and
      
      storing the from domain value in the fourth data structure in the from domain predetermined designated field designation value and the sender domain value in the fifth data structure in the sender domain predetermined designated field designation value, and the return-path domain value in the fourth and fifth data structures in the return-path domain predetermined designated field value of the fourth and fifth data structures corresponding to the stored from and sender domain values.
  - 6. The method for detecting a spoofed information packet of claim 5, further including the steps of:
    - maintaining a score count comprising a count number of occurrence of the appearing of a same Internet Protocol address value which corresponds to a from domain value within the first data structure;
      
      maintaining a score count comprising a count number of occurrence of the appearing of a same Internet Protocol address value which corresponds to a sender domain value within the second data structure;
      
      maintaining a score count comprising a count number of occurrence of the appearing of a same Internet Protocol address value which corresponds to a return-path domain value within the third data structure;
      
      maintaining a score count comprising a count number of occurrence of the appearing of a same return-path domain value which corresponds to a from domain value within the fourth data structure; and
      
      maintaining a score count comprising a count number of occurrence of the appearing of a same return-path domain value which corresponds to a sender domain value within the fifth data structure.
  - 7. The method for detecting a spoofed information packet of claim 6, further including the steps of:
    - maintaining a highest count comprising a highest count number of occurrence of the appearing of the same Internet Protocol address value which corresponds to a from domain value within the first data structure;
      
      maintaining a highest count comprising a highest count number of occurrence of the appearing of the same Internet Protocol address value which corresponds to a sender domain value within the second data structure;
      
      maintaining a highest count comprising a highest count number of occurrence of the appearing of the same Internet Protocol address value which corresponds to a return-path domain value within the third data structure;
      
      maintaining a highest count comprising a highest count number of occurrence of the appearing of the same return-path domain value which corresponds to a from domain value within the fourth data structure; and
      
      maintaining a highest count comprising a highest count number of occurrence of the appearing of the same return-path value which corresponds to the same sender path domain value within the fifth data structure.
  - 8. The method for detecting a spoofed information packet of claim 7, further including the steps of:
    - maintaining a total count comprising a total number of occurrence of the appearing of all of the Internet Protocol address values which correspond to a from domain value within the first data structure;
      
      maintaining a total count comprising a total number of occurrence of the appearing of all of the Internet Protocol address values which correspond to a sender domain value within the second data structure;
      
      maintaining a total count comprising a total count of occurrence of the appearing of all of the Internet Protocol address values which correspond to a return-path domain value within the third data structure;
      
      maintaining a total count comprising a total count of occurrence of the appearing of all of the return-path domain values which correspond to a from domain value within the fourth data structure; and
      
      maintaining a total count comprising a total count of occurrence of the appearing of all of the return-path domain values which correspond to a sender path domain value within the fifth data structure.
  - 9. The method for detecting a spoofed information packet of claim 8, the step of generating a spoofed score for the currently received information packet further includes the step for calculating a threshold value for each of the first, second, third, fourth and fifth data structures for the currently received information packet.
  - 10. The method for detecting a spoofed information packet of claim 9, wherein the step for calculating the threshold value for each of the first, second, third, fourth and fifth data structures for the currently received information packet, comprises the steps of:
    - calculating the threshold value for the first data structure includes applying the highest and total counts from the first data structure for the currently received information packet such that the threshold value comprises the highest count times (the highest count/the total count) times 0.05;
      
      calculating the threshold value for the second data structure includes applying the highest and total counts from the second data structure for the currently received information packet such that the threshold value comprises the highest count times (the highest count/the total count) times 0.05;
      
      calculating the threshold value for the third data structure includes applying the highest and total counts from the third data structure for the currently received information packet such that the threshold value comprises the highest count times (the highest count/the total count) times 0.05;
      
      calculating the threshold value for the fourth data structure includes applying the highest and total counts from the fourth data structure for the currently received information packet such that the threshold value comprises the highest count times (the highest count/the total count) times 0.01; and
      
      calculating the threshold value for the fifth data structure includes applying the highest and total counts from the fifth data structure for the currently received information packet such that the threshold value comprises the highest count times (the highest count/the total count) times 0.01.
  - 11. The method for detecting a spoofed information packet of claim 10, wherein the step of generating a spoofed score for the currently received information packet further includes the steps of:
    - assigning a predetermined numerical value to the first data structure, having a value which indicates the currently received information packet is scoring in a direction indicating the currently received information packet is spoofed, with the Internet Protocol address value of the currently received information packet being received for the first time corresponding to the from domain value, of the currently received information packet, within the first data structure;
      
      assigning a predetermined numerical value to the second data structure, having a value which indicates the currently received information packet is scoring in the direction indicating the currently received information packet is spoofed, with the Internet Protocol address value, of the currently received information packet, being received for the first time corresponding to the sender domain value, of the currently received information packet, value within the second data structure;
      
      assigning a predetermined numerical value to the third data structure, having a value which indicates the currently received information packet is scoring in the direction indicating the currently received information packet is spoofed, with the Internet Protocol address value, of the currently received information packet, being received for the first time corresponding to the return-path domain value, of the currently received information packet, within the third data structure;
      
      assigning a predetermined numerical value to the fourth data structure, having a value which indicates the currently received information packet is scoring in the direction indicating the currently received information packet is spoofed, with the return-domain value, of the currently received information packet, being received for the first time corresponding to the from domain value, of the currently received information packet, within the fourth data structure; and
      
      assigning a predetermined numerical value to the fifth data structure, having a value which indicates the currently received information packet is scoring in the direction indicating the currently received information packet is spoofed, with the return-path value, of the currently received information packet, being received for the first time corresponding to the sender domain value, of the currently received information packet, within the fifth data structure.
  - 12. The method for detecting a spoofed information packet of claim 11, wherein the step of generating a spoofed score for the currently received information packet further includes the steps of:
    - assigning another predetermined numerical value to the first data structure, having a numerical value, which indicates the currently received information packet is scoring in a direction away from indicating the currently received information packet is spoofed, with the Internet Protocol address, of the currently received information packet, having a score count greater than the threshold value for the first data structure;
      
      assigning another predetermined numerical value to the second data structure, having a numerical value, which indicates the currently received information packet is scoring in a direction away from indicating the currently received information packet is spoofed, with the Internet Protocol address value, of the currently received information packet, having a score count greater than the threshold value for the second data structure;
      
      assigning another predetermined numerical value to the third data structure, having a numerical value, which indicates the currently received information packet is scoring in a direction away from indicating the currently received information packet is spoofed, with the Internet Protocol address value, of the currently received information packet, having a score count greater than the threshold value for the third data structure;
      
      assigning another predetermined numerical value to the fourth data structure, having a numerical value that indicates the currently received information packet is scoring in a direction away from indicating the currently received information packet is spoofed, with the return-path domain value, of the currently received information packet, having a score count greater than the threshold value for the fourth data structure; and
      
      assigning another predetermined numerical value to the fifth data structure, having a numerical value that indicates the currently received information packet is scoring in a direction away from indicating the currently received information packet is spoofed, with the return-path domain value, of the currently received information packet, having a score count greater than the threshold value for the fifth data structure.
  - 13. The method for detecting a spoofed information packet of claim 12, wherein the step for generating a spoofed score for the currently received information packet further includes the steps of:
    - deriving a first weighted numerical value based on the third data structure, wherein establishing the first weighted numerical value with assigning one of the predetermined numerical value of the third data structure or the other predetermined numerical value of the third data structure, to the first weighted numerical value, or calculating the first weighted numerical value with the application of the score count for the Internet Protocol address value of the third data structure and the threshold value of the third data structure, obtained from the currently received information packet;
      
      deriving a second weighted numerical value from a summation of a first sub-total value based on the first data structure and a second sub-total value based on the second data structure, comprising;
      
      deriving the first sub-total value with assigning one of the predetermined numerical value of the first data structure or the other predetermined numerical value of the first data structure to the first sub-total value, or calculating the first sub-total value with the application of the score count for the Internet Protocol address value of the first data structure and the threshold value of the first data structure, obtained from the currently received information packet; and
      
      deriving the second sub-total value with assigning one of the predetermined numerical value of the second data structure or the other predetermined numerical value of the second data structure to the first weighted numerical value, or calculating the first weighted numerical value with the application of the score count for the Internet Protocol address value of the second data structure and the threshold value of the second data structure, obtained from the currently received information packet, wherein, with both values for the from domain and the sender domain present within the predetermined designated fields for the currently received information packet, the first sub-total value of the second weighted numerical value and the second sub-total value of the second weighted numerical value are weighted, such that the first sub-total value is multiplied by twenty-five percent and the second sub-total is multiplied by seventy-five percent before summing the first and second sub-totals together to obtain the second weighted numerical value, otherwise, should a value for the sender domain not be present in the predetermined designated fields of the currently received information packet, the first sub-total becomes the second weighted numerical value;
      
      deriving a third weighted numerical value from a summation of a first sub-total value based on the fourth data structure and a second sub-total value based on the fifth data structure, comprising;
      
      deriving the first sub-total value with assigning one of the predetermined numerical value of the fourth data structure or the other predetermined numerical value of the fourth data structure to the first sub-total value, or calculating the first sub-total value with the application of the score count for the Internet Protocol address value of the fourth data structure and the threshold value of the fourth data structure, obtained from the currently received information packet; and
      
      deriving the second sub-total value with assigning one of the predetermined numerical value of the fifth data structure or the other predetermined numerical value of the fifth data structure to the first weighted numerical value, or calculating the third weighted numerical value with the application of the score count for the Internet Protocol address value of the fifth data structure and the threshold value of the fifth data structure, obtained from the currently received information packet, wherein, with both values for the from domain and the sender domain present within the predetermined designated fields for the currently received information packet, the first sub-total value of the third weighted numerical value and the second sub-total value of the third weighted numerical value are weighted, such that the first sub-total value is multiplied by twenty-five percent and the second sub-total is multiplied by seventy-five percent before summing the first and second sub-totals together to obtain the third weighted numerical value, otherwise, should a value for the sender domain not be present in the predetermined designated fields of the currently received information packet, the first sub-total becomes the third weighted numerical value.
  - 14. The method for detecting a spoofed information packet of claim 13, wherein the step for generating a spoofed score for the currently received information packet further includes:
    - the first weighted numerical value has a two times greater importance than the second weighted numerical value;
      
      the first weighted numerical value has a six times greater importance than the third weighted numerical value; and
      
      , wherein;
      
      the first weighted numerical value is normalized based on a sample size of the total count within the third data structure;
      
      the second weighted numerical value is normalized based on a sample size of the total count within the first and second data structures, wherein;
      
      the first sub-total is normalized with the sample size of the total count within the first data structure; and
      
      the second sub-total is normalized with the sample size of the total count within the second data structure; and
      
      the third weighted numerical value is normalized based on a sample size of the total count within the fourth and fifth data structures, wherein;
      
      the first sub-total is normalized with the sample size of the total count within the fourth data structure; and
      
      the second sub-total is normalized with the sample size of the total count within the fifth data structure.
  - 15. The method for detecting a spoofed information packet of claim 14, wherein the step for generating a spoofed score for the currently received information packet further includes the step of obtaining a total spoofed score includes the step of summing the following:
    - the first weighted numerical value, plus;
      
      the second weighted numerical value, plus; and
      
      the third weighted numerical value.
  - 16. The method for detecting a spoofed information packet of claim 15, wherein the step for generating a spoofed score for the currently received information packet further includes the step of multiplying, the summing of the first weighted numerical value, plus the second weighted numerical value plus the third weighted numerical value, by a fixed value such that with a maximum values for each of the first, second and third weighted numerical values the total would result in a value of 100.
  - 17. The method for detecting a spoofed information packet of claim 8, wherein the step of updating database with extracted values includes the step of:
    - maintaining the score count, the highest count and the total count for each currently received information packet of the first, second, third, fourth and fifth data structures, in relationship to a date in which the score count, highest count and total count were obtained;
      
      setting a first designated time period interval having a beginning date and an ending date, and positioning, the score count, highest count and total count, which were obtained in the first designated time period interval between the beginning and the ending dates, within the first designated time period interval; and
      
      multiplying, at a time within a current designated time period interval and after the expiration of the first designated time period interval, each of the score, highest and total counts, within the first designated time period interval, which has just expired, and within each of a preceding designated time period interval within which score, highest and total counts are positioned, equal in time duration of the just expired first designated time period interval, by 1/(2 ^N), wherein N is an exponent corresponding to the number of designated time period intervals removed from the current designated time period interval.
  - 18. The method for detecting a spoofed information packet of claim 5, wherein the step of updating database with extracted values includes the step of:
    - purging an Internet Protocol address value from the first, second and third data structures should the Internet Protocol address value not have appeared in a currently received information packet for a second designated time period interval, a subsequent appearance of the Internet Protocol address value, after purging, would be designated as a first appearance; and
      
      purging a return-path domain value from the fourth and fifth data structures should the return-path value not have appeared in a currently received information packet for one month, a subsequent appearance of the return-path domain value, after purging, would be designated as a first appearance.
  - 19. The method for detecting a spoofed information packet of claim 1, wherein:
    - each data structure comprises a relationship between two different designated predetermined fields which correspond to two different designated predetermined fields within the metadata; and
      
      the predetermined designated fields of the metadata are fully represented within the group of the data structures, such that each value extracted from the predetermined designated fields of the previously received information packet will be stored within a data structure, which comprises a designation of the predetermined designated field from which the value was extracted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Meves, Nicholas John
Primary Examiner(s)
Lemma, Samson

Application Number

US14/744,185
Time in Patent Office

459 Days
Field of Search

726/22
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/0876   based on the identity of th...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

Email spoofing detection via infrastructure machine learning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Email spoofing detection via infrastructure machine learning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links