Systems and methods for detecting compromised messaging accounts

US 9,756,007 B1
Filed: 12/18/2013
Issued: 09/05/2017
Est. Priority Date: 12/18/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting compromised messaging accounts, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

maintaining a behavior database that associates messaging accounts of a plurality of users with messaging behaviors that typify each messaging account by;

extracting, from each of the messaging accounts, messaging features that describe stylistic and compositional traits of messages sent by the messaging accounts;

for each messaging account, identifying, based on the extracted messaging features, messaging behaviors that typify the messaging account by;

determining a frequency with which the messaging account displays at least one messaging behavior;

determining that the frequency with which the messaging account displays the messaging behavior exceeds a frequency with which at least one other messaging account displays the messaging behavior; and

weighting the messaging behavior based on a comparison between the frequency with which the messaging account displays the messaging behavior and the frequency with which the other messaging account displays the messaging behavior;

identifying, based on the extracted messaging features, messaging behaviors that do not typify any of the messaging accounts of the plurality of users by identifying messaging behaviors that are displayed with a similar frequency by at least most of the messaging accounts of the plurality of users; and

associating, in the behavior database, each of the messaging accounts of the plurality of users with the weighted messaging behaviors that typify each messaging account and not the messaging behaviors that do not typify any of the messaging accounts of the plurality of users;

detecting an attempt by a user to send a message from one of the messaging accounts of the plurality of users;

determining, by comparing features of the message with the weighted messaging behaviors associated with the messaging account in the behavior database, that the messaging account has potentially been compromised; and

in response to the determination that the messaging account has potentially been compromised, verifying that the user is an owner of the messaging account.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for detecting compromised messaging accounts may include maintaining a behavior database that associates a plurality of messaging accounts with messaging behaviors that typify each of the messaging accounts. The method may also include detecting an attempt by a user to send a message from a messaging account. In addition, the method may include determining that the messaging account has potentially been compromised by comparing features of the message with messaging behaviors associated with the messaging account in the behavior database. Finally, the method may include verifying that the user is an owner of the messaging account in response to the determination that the messaging account has potentially been compromised. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for detecting compromised messaging accounts, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- maintaining a behavior database that associates messaging accounts of a plurality of users with messaging behaviors that typify each messaging account by;
  
  extracting, from each of the messaging accounts, messaging features that describe stylistic and compositional traits of messages sent by the messaging accounts;
  
  for each messaging account, identifying, based on the extracted messaging features, messaging behaviors that typify the messaging account by;
  
  determining a frequency with which the messaging account displays at least one messaging behavior;
  
  determining that the frequency with which the messaging account displays the messaging behavior exceeds a frequency with which at least one other messaging account displays the messaging behavior; and
  
  weighting the messaging behavior based on a comparison between the frequency with which the messaging account displays the messaging behavior and the frequency with which the other messaging account displays the messaging behavior;
  
  identifying, based on the extracted messaging features, messaging behaviors that do not typify any of the messaging accounts of the plurality of users by identifying messaging behaviors that are displayed with a similar frequency by at least most of the messaging accounts of the plurality of users; and
  
  associating, in the behavior database, each of the messaging accounts of the plurality of users with the weighted messaging behaviors that typify each messaging account and not the messaging behaviors that do not typify any of the messaging accounts of the plurality of users;
  
  detecting an attempt by a user to send a message from one of the messaging accounts of the plurality of users;
  
  determining, by comparing features of the message with the weighted messaging behaviors associated with the messaging account in the behavior database, that the messaging account has potentially been compromised; and
  
  in response to the determination that the messaging account has potentially been compromised, verifying that the user is an owner of the messaging account.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the messaging behaviors that typify each messaging account comprise at least one of:
    - writing habits that characterize a writing style of an account owner;
      
      composition habits that characterize non-stylistic compositional behaviors of an account owner; and
      
      interaction habits that characterize an interpersonal communication network of an account owner.
  - 3. The method of claim 2, wherein:
    - the writing habits comprise at least one of;
      
      a frequency with which certain characters appear in messages sent by the account owner;
      
      a frequency with which certain words appear in messages sent by the account owner;
      
      grammatical features that appear in messages sent by the account owner; and
      
      stylistic features that appear in messages sent by the account owner;
      
      the composition habits comprise at least one of;
      
      times of day the account owner sends messages;
      
      days of the week the account owner sends messages;
      
      web addresses included in messages sent by the account owner; and
      
      formatting features included in messages sent by the account owner; and
      
      the interaction habits comprise at least one of;
      
      recipients of messages sent by the account owner; and
      
      domains of messaging accounts of recipients of messages sent by the account owner.
  - 4. The method of claim 1, wherein weighting the messaging behavior comprises:
    - determining that the messaging behavior typifies both the messaging account and the other messaging account; and
      
      assigning a weight to the messaging behavior for the messaging account that is higher than a weight assigned to the messaging behavior for the other messaging account.
  - 5. The method of claim 1, wherein detecting the attempt by the user to send the message from the messaging account comprises intercepting the message before it is distributed to an intended recipient.
  - 6. The method of claim 1, wherein determining, by comparing the features of the message with the weighted messaging behaviors associated with the messaging account in the behavior database, that the messaging account has potentially been compromised comprises determining that at least one of the features of the message does not match the weighted messaging behaviors associated with the messaging account in the behavior database.
  - 7. The method of claim 1, wherein verifying that the user is the account owner comprises:
    - requiring the user to provide at least one of;
      
      an answer to a CAPTCHA;
      
      an answer to a security question previously chosen by the account owner; and
      
      an alphanumeric code sent to a mobile communication device linked to the account owner; and
      
      determining whether the user has been successfully verified.
  - 8. The method of claim 7, wherein:
    - determining whether the user has been successfully verified comprises determining that the user has been successfully verified;
      
      in response to the determination that the user has been successfully verified, determining that the messaging account has not been compromised; and
      
      in response to the determination that the account has not been compromised, updating the behavior database with the features of the message.
  - 9. The method of claim 7, wherein:
    - determining whether the user has been successfully verified comprises determining that the user has not been successfully verified;
      
      in response to the determination that the user has not been successfully verified, determining that the messaging account has been compromised; and
      
      in response to the determination that the messaging account has been compromised, preventing the user from accessing the messaging account.
  - 10. The method of claim 1, wherein the computing device comprises at least one of:
    - at least one client-side computing device; and
      
      a server-side computing device.

11. A system for detecting compromised messaging accounts, the system comprising:
- a maintenance module, stored in memory, that maintains a behavior database that associates messaging accounts of a plurality of users with messaging behaviors that typify each messaging account by;
  
  extracting, from each of the messaging accounts, messaging features that describe stylistic and compositional traits of messages sent by the messaging accounts;
  
  for each messaging account, identifying, based on the extracted messaging features, messaging behaviors that typify the messaging account by;
  
  determining a frequency with which the messaging account displays at least one messaging behavior;
  
  determining that the frequency with which the messaging account displays the messaging behavior exceeds a frequency with which at least one other messaging account displays the messaging behavior; and
  
  weighting the messaging behavior based on a comparison between the frequency with which the messaging account displays the messaging behavior and the frequency with which the other messaging account displays the messaging behavior;
  
  identifying, based on the extracted messaging features, messaging behaviors that do not typify any of the messaging accounts of the plurality of users by identifying messaging behaviors that are displayed with a similar frequency by at least most of the messaging accounts of the plurality of users; and
  
  associating, in the behavior database, each of the messaging accounts of the plurality of users with the weighted messaging behaviors that typify each messaging account and not the messaging behaviors that do not typify any of the messaging accounts of the plurality of users;
  
  a detection module, stored in memory, that detects an attempt by a user to send a message from one of the messaging accounts of the plurality of users;
  
  a determination module, stored in memory, that determines, by comparing features of the message with the weighted messaging behaviors associated with the messaging account in the behavior database, that the messaging account has potentially been compromised;
  
  a verification module, stored in memory, that verifies that the user is an owner of the messaging account in response to the determination that the messaging account has potentially been compromised; and
  
  at least one processor configured to execute the maintenance module, the detection module, the determination module, and the verification module.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the messaging behaviors that typify each messaging account comprise at least one of:
    - writing habits that characterize a writing style of an account owner;
      
      composition habits that characterize non-stylistic compositional behaviors of an account owner; and
      
      interaction habits that characterize an interpersonal communication network of an account owner.
  - 13. The system of claim 12, wherein:
    - the writing habits comprise at least one of;
      
      a frequency with which certain characters appear in messages sent by the account owner;
      
      a frequency with which certain words appear in messages sent by the account owner;
      
      grammatical features that appear in messages sent by the account owner; and
      
      stylistic features that appear in messages sent by the account owner;
      
      the composition habits comprise at least one of;
      
      times of day the account owner sends messages;
      
      days of the week the account owner sends messages;
      
      web addresses included in messages sent by the account owner; and
      
      formatting features included in messages sent by the account owner; and
      
      the interaction habits comprise at least one of;
      
      recipients of messages sent by the account owner; and
      
      domains of messaging accounts of recipients of messages sent by the account owner.
  - 14. The system claim 11, wherein the maintenance module weights the messaging behavior by:
    - determining that the messaging behavior typifies both the messaging account and the other messaging account; and
      
      assigning a weight to the messaging behavior for the messaging account that is higher than a weight assigned to the messaging behavior for the other messaging account.
  - 15. The system of claim 11, wherein the detection module detects the attempt by the user to send the message from the messaging account by intercepting the message before it is distributed to an intended recipient.
  - 16. The system of claim 11, wherein the determination module determines, by comparing the features of the message with the weighted messaging behaviors associated with the messaging account in the behavior database, that the messaging account has potentially been compromised by determining that at least one of the features of the message does not match the weighted messaging behaviors associated with the messaging account in the behavior database.
  - 17. The system of claim 11, wherein the verification module verifies that the user is the account owner by:
    - requiring the user to provide at least one of;
      
      an answer to a CAPTCHA;
      
      an answer to a security question previously chosen by the account owner; and
      
      an alphanumeric code sent to a mobile communication device linked to the account owner; and
      
      determining whether the user has been successfully verified.
  - 18. The system of claim 17, wherein:
    - the verification module determines whether the user has been successfully verified by determining that the user has been successfully verified;
      
      the verification module further determines that the messaging account has not been compromised in response to the determination that the user has been successfully verified; and
      
      the maintenance module updates the behavior database with the features of the message in response to the determination that the account has not been compromised.
  - 19. The system of claim 17, wherein the verification module:
    - determines whether the user has been successfully verified by determining that the user has not been successfully verified;
      
      in response to the determination that the user has not been successfully verified, determines that the messaging account has been compromised; and
      
      in response to the determination that the messaging account has been compromised, prevents the user from accessing the messaging account.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor a computing device, cause the computing device to:
- maintain a behavior database that associates messaging accounts of a plurality of users with messaging behaviors that typify each messaging account by;
  
  extracting, from each of the messaging accounts, messaging features that describe stylistic and compositional traits of messages sent by the messaging accounts;
  
  for each messaging account, identifying, based on the extracted messaging features, messaging behaviors that typify the messaging account by;
  
  determining a frequency with which the messaging account displays at least one messaging behavior;
  
  determining that the frequency with which the messaging account displays the messaging behavior exceeds a frequency with which at least one other messaging account displays the messaging behavior; and
  
  weighting the messaging behavior based on a comparison between the frequency with which the messaging account displays the messaging behavior and the frequency with which the other messaging account displays the messaging behavior;
  
  identifying, based on the extracted messaging features, messaging behaviors that do not typify any of the messaging accounts of the plurality of users by identifying messaging behaviors that are displayed with a similar frequency by at least most of the messaging accounts of the plurality of users; and
  
  associating, in the behavior database, each of the messaging accounts of the plurality of users with the weighted messaging behaviors that typify each messaging account and not the messaging behaviors that do not typify any of the messaging accounts of the plurality of users;
  
  detect an attempt by a user to send a message from one of the messaging accounts of the plurality of users;
  
  determine, by comparing features of the message with the weighted messaging behaviors associated with the messaging account in the behavior database, that the messaging account has potentially been compromised; and
  
  in response to the determination that the messaging account has potentially been compromised, verify that the user is an owner of the messaging account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Stringhini, Gianluca, Thonnard, Olivier
Primary Examiner(s)
Greene, Joseph

Application Number

US14/133,567
Time in Patent Office

1,357 Days
Field of Search

709203
US Class Current
CPC Class Codes

H04L 51/216 Handling conversation histo...

H04L 51/23 Reliability checks, e.g. ac...

Systems and methods for detecting compromised messaging accounts

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting compromised messaging accounts

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links