Systems, methods, user interfaces, and computer-readable media for investigating potential malicious communications

US 9,635,046 B2
Filed: 08/31/2016
Issued: 04/25/2017
Est. Priority Date: 08/06/2015
Status: Active Grant

First Claim

Patent Images

1. A computer readable storage device configured to store computer executable instructions that, when executed, cause a computer system to:

access records of electronic communications that were sent to internal recipients within a local network;

access a prescreened electronic communication preliminarily identified as a potential undesirable electronic communication;

group the records into a data cluster, wherein the records in the data cluster share one or more similar characteristics with the prescreened electronic communication;

identify one or more recipients associated with the records in the data cluster, the one or more recipients being authorized to access the local network;

determine respective roles associated with at least some of the one or more recipients associated with the records in the data cluster;

determine a priority of the data cluster based at least in part on a role associated with at least one of the one or more recipients, wherein the priority indicates an importance of assessing if the electronic communications are undesirable; and

providing data to a computing device, wherein the data is rendered by the computing device as an interactive user interface including an indication of the data cluster and an indication of the priority of assessing an undesirability of the electronic communications in the data cluster.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data analysis system receives potentially undesirable electronic communications and automatically groups them in computationally-efficient data clusters, automatically analyze those data clusters, automatically tags and groups those data clusters, and provides results of the automated analysis and grouping in an optimized way to an analyst. The automated analysis of the data clusters may include an automated application of various criteria or rules so as to generate an ordered display of the groups of related data clusters such that the analyst may quickly and efficiently evaluate the groups of data clusters. In particular, the groups of data clusters may be dynamically re-grouped and/or filtered in an interactive user interface so as to enable an analyst to quickly navigate among information associated with various groups of data clusters and efficiently evaluate those data clusters.

Citations

20 Claims

1. A computer readable storage device configured to store computer executable instructions that, when executed, cause a computer system to:
- access records of electronic communications that were sent to internal recipients within a local network;
  
  access a prescreened electronic communication preliminarily identified as a potential undesirable electronic communication;
  
  group the records into a data cluster, wherein the records in the data cluster share one or more similar characteristics with the prescreened electronic communication;
  
  identify one or more recipients associated with the records in the data cluster, the one or more recipients being authorized to access the local network;
  
  determine respective roles associated with at least some of the one or more recipients associated with the records in the data cluster;
  
  determine a priority of the data cluster based at least in part on a role associated with at least one of the one or more recipients, wherein the priority indicates an importance of assessing if the electronic communications are undesirable; and
  
  providing data to a computing device, wherein the data is rendered by the computing device as an interactive user interface including an indication of the data cluster and an indication of the priority of assessing an undesirability of the electronic communications in the data cluster.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer readable storage device of claim 1, the similar characteristics comprising at least one of:
    - a from field corresponding to a purported author of the prescreened electronic communication;
      
      one or more recipient fields corresponding to recipients of the prescreened electronic communication;
      
      ora subject field corresponding to a purported topic of the prescreened electronic communication.
  - 3. The computer readable storage device of claim 1, wherein determining the priority of the data cluster is further based on a number of records in the data cluster.
  - 4. The computer readable storage device of claim 1, the role comprising an organizational rank of the one or more of the recipients.
  - 5. The computer readable storage device of claim 1, the prescreened electronic communication further comprising a message body, and the computer system is further configured to execute the computer executable instructions to parse the message body for a uniform resource locator.
  - 6. The computer readable storage device of claim 5, the similar characteristics comprising the uniform resource locator being in the message body.
  - 7. The computer readable storage device of claim 5, wherein the computer executable instructions, when executed, are further configured cause a network connection of the computer system to access, from one or more remote networks not within the local network, a blackhole list, the similar characteristics including the at least one uniform resource locator in the message body, or a portion thereof, that is on the blackhole list.
  - 8. The computer readable storage device of claim 5, wherein the computer executable instructions, when executed, are further configured to cause the computer system to:
    - store a log of requests from the local network seeking resources outside the local network; and
      
      identify instances in the log of requests indicating a request from the local network seeking the uniform resource locator.
  - 9. The computer readable storage device of claim 8, wherein the computer executable instructions, when executed, are further configured cause the computer system to generate data for rendering, in the interactive user interface, an indication of the instances in the log of requests.
  - 10. The computer readable storage device of claim 1, wherein the computer executable instructions, when executed, are further configured to cause the computer system to receive a disposition from a user that the prescreened electronic communication in the data cluster is undesirable electronic communication.
  - 11. The computer readable storage device of claim 10, wherein the computer executable instructions, when executed, are further configured to cause the computer system to, based on the disposition, transmit an electronic notification to recipients identified in the records in the data cluster.

12. A computer-implemented method for investigating potential malicious communications, the method comprising:
- by a computer system including one or more computer-readable storage devices configured to store computer executable instructions and one or more processors configured to execute the computer executable instructions;
  
  accessing electronic communications that were sent to internal recipients within a local network;
  
  accessing a prescreened electronic communication preliminarily identified as a potential undesirable electronic communication;
  
  grouping the electronic communications into a data cluster, wherein the electronic communications in the data cluster share one or more similar characteristics with the prescreened electronic communication;
  
  identifying one or more recipients associated with the electronic communications in the data cluster, the one or more recipients being authorized to access the local network;
  
  determining respective roles associated with at least some of the one or more recipients associated with the electronic communications in the data cluster;
  
  determining a priority of the data cluster based at least in part on a role associated with at least one of the one or more recipients, wherein the priority indicates an importance of assessing if the electronic communications are undesirable; and
  
  providing data to a computing device, wherein the data is rendered on the computing device as an interactive user interface including an indication of the data cluster and an indication of the priority of assessing an undesirability of the electronic communications in the data cluster.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The computer-implemented method of claim 12, the similar characteristics comprising at least one of:
    - a from field corresponding to a purported author of the prescreened electronic communication;
      
      one or more recipient fields corresponding to recipients of the prescreened electronic communication;
      
      ora subject field corresponding to a purported topic of the prescreened electronic communication.
  - 14. The computer-implemented method of claim 12, wherein determining the priority of the data cluster is further based on a number of electronic communications in the data cluster.
  - 15. The computer-implemented method of claim 12, the role comprising an organizational rank of the one or more of the recipients.
  - 16. The computer-implemented method of claim 12, the prescreened electronic communication further comprising a message body, and the computer-implemented method further comprising parsing the message body for a uniform resource locator.
  - 17. The computer-implemented method of claim 16, further comprising:
    - storing a log of requests from the local network seeking resources outside the local network; and
      
      identifying instances in the log of requests indicating a request from the local network seeking the uniform resource locator.
  - 18. The computer-implemented method of claim 16, the similar characteristics comprising the uniform resource locator being in the message body.
  - 19. The computer-implemented method of claim 16, further comprising accessing, from one or more remote networks not within the local network, a blackhole list, the similar characteristics including the at least one uniform resource locator in the message body, or a portion thereof, that is on the blackhole list.
  - 20. The computer-implemented method of claim 17, further comprising:
    - generating data for rendering, in the interactive user interface, an indication of the instances in the log of requests.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Spiro, Ezra, Staehle, Joseph, Levine, Andrew, Ricafort, Juan, Morales, Alvaro
Primary Examiner(s)
THIAW, CATHERINE B

Application Number

US15/253,717
Publication Number

US 20170041335A1
Time in Patent Office

237 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/951   Indexing; Web crawling tech...

G06F 21/552   involving long-term monitor...

G06F 3/0482   Interaction with lists of s...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

Systems, methods, user interfaces, and computer-readable media for investigating potential malicious communications

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems, methods, user interfaces, and computer-readable media for investigating potential malicious communications

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links