Method and system for assessing and classifying reported potentially malicious messages in a cybersecurity system

US 9,774,626 B1
Filed: 08/17/2016
Issued: 09/26/2017
Est. Priority Date: 08/17/2016
Status: Active Grant

First Claim

Patent Images

1. A non-malicious message identification and classification system of a cybersecurity network, the system comprising:

a cybersecurity server comprising a cybersecurity server processor and programming instructions configured to cause the cybersecurity server processor to generate simulated phishing messages and send the simulated phishing messages to a client computing device;

a computer-readable medium portion storing programming instructions that are configured to cause the client computing device to;

receive an electronic message via a communications network, andreceive a user notification that indicates that a user has reported the received message as a potentially malicious message; and

a computer-readable medium portion storing programming instructions that are configured to cause the client computing device or a remote computing device to;

determine whether the received message is a legitimate message or-a potentially malicious message,in response to determining that the received message is a legitimate message, further analyze the received message to assign a class from a set of available classes to the received message, wherein;

the available classes comprise a simulated phishing message class, a trusted internal sender class, and a trusted external sender class, andthe assigned class is the simulated phishing message class, the trusted internal sender class, or the trusted external sender class, andin response to receiving the user notification and determining that the received message is a legitimate message, cause the client computing device to output a prompt to the user so that the prompt indicates that the message is a legitimate message and is associated with the assigned class, wherein;

if the assigned class is the simulated phishing message class, then the prompt confirms that the user has properly reported the received message, andif the assigned class is either of the trusted internal sender class or the trusted external sender class, then the prompt conveys that the user has improperly reported the received message as a potentially malicious message so as to train the user.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a cybersecurity network, a system identifies and classifies non-malicious messages by receiving a user notification indicating that the user has reported a received message as potentially malicious message, and determining whether the received message is legitimate or potentially malicious. When the system determines that the message is a legitimate, it further analyzes the message to assign a class that may include trusted internal sender, trusted external sender, or training a simulated phishing message. It will then cause the user'"'"'s device to provide the user with information corresponding to the assigned class. The system may also quarantine a received message and release the message from the quarantine only after determining that the message is legitimate and receiving a user acknowledgment.

Citations

24 Claims

1. A non-malicious message identification and classification system of a cybersecurity network, the system comprising:
- a cybersecurity server comprising a cybersecurity server processor and programming instructions configured to cause the cybersecurity server processor to generate simulated phishing messages and send the simulated phishing messages to a client computing device;
  
  a computer-readable medium portion storing programming instructions that are configured to cause the client computing device to;
  
  receive an electronic message via a communications network, andreceive a user notification that indicates that a user has reported the received message as a potentially malicious message; and
  
  a computer-readable medium portion storing programming instructions that are configured to cause the client computing device or a remote computing device to;
  
  determine whether the received message is a legitimate message or-a potentially malicious message,in response to determining that the received message is a legitimate message, further analyze the received message to assign a class from a set of available classes to the received message, wherein;
  
  the available classes comprise a simulated phishing message class, a trusted internal sender class, and a trusted external sender class, andthe assigned class is the simulated phishing message class, the trusted internal sender class, or the trusted external sender class, andin response to receiving the user notification and determining that the received message is a legitimate message, cause the client computing device to output a prompt to the user so that the prompt indicates that the message is a legitimate message and is associated with the assigned class, wherein;
  
  if the assigned class is the simulated phishing message class, then the prompt confirms that the user has properly reported the received message, andif the assigned class is either of the trusted internal sender class or the trusted external sender class, then the prompt conveys that the user has improperly reported the received message as a potentially malicious message so as to train the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein:
    - the programming instructions for determining whether the received message is a legitimate message or a malicious message comprise instructions to;
      
      select a structural element of the received message,obtain information corresponding to the structural element, anduse the obtained information to assign a trust value to the structural element; and
      
      the programming instructions to cause the client computing device to output the prompt also comprise instructions to present the user with the structural element and descriptive material corresponding to the obtained information, to train the user about how the structural element can help identify why the received message is a legitimate message.
  - 3. The system of claim 2, wherein the programming instructions for selecting the structural element comprise programming instructions to receive a selection of the structural element with the received user notification.
  - 4. The system of claim 2, wherein the programming instructions for obtaining information corresponding to the structural element comprise instructions to, if the structural element comprises a hyperlink, access a domain name registrar to retrieve information that indicates an age of a domain associated with the hyperlink.
  - 5. The system of claim 2, wherein the programming instructions for obtaining information corresponding to the structural element comprise instructions to, if the structural element comprises a hyperlink, obtain the information corresponding to the structural element by:
    - identifying a domain name registrar for a domain associated with the hyperlink; and
      
      accessing a data set of known domain name registrars to identify whether the registrar is known to register malicious websites.
  - 6. The system of claim 2, wherein the programming instructions for obtaining information corresponding to the structural element comprise instructions to, if the structural element comprises a plurality of hyperlinks, determine a number of redirects associated with the plurality of hyperlinks.
  - 7. The system of claim 1, wherein:
    - the instructions for assigning a class to the received message comprise instructions to, if the received message is one of the simulated phishing messages generated by the cybersecurity server, assign the simulated phishing message class to the received message.
  - 8. The system of claim 7, wherein the instructions for assigning a class to the received message comprise instructions to determine that received message is one of the simulated phishing messages if:
    - a header field of a header section of the received message starts with a predetermined key; and
      
      for any header field that starts with the predetermined key, that header field also includes a value that satisfies a first trusted sender rule.
  - 9. The system of claim 1, wherein:
    - the instructions to assign a class to the received message further comprise instructions to, before assigning the simulated phishing message class to any received message, require that the received message satisfies at least two trusted sender rules.
  - 10. The system of claim 9, wherein the at least two trusted sender rules comprise at least two of the following:
    - a condition that at least one header field of a header section of the received message starts with a predetermined key, and for any header field that starts with the predetermined key, that header field also includes a value that is a known value or in a known format;
      
      a condition that any header field having a FROM fieldname include a value that is associated with a known sender;
      
      a condition that any header field having a domain name include a value that is associated with a known domain;
      
      ora condition that any header field having a FROM fieldname include a value that is associated with a known sender, and a condition that any header field having a domain name include a value that is associated with a known domain.
  - 11. The system of claim 1, further comprising additional programming instructions that cause the client computing device to, before determining whether the received message is a legitimate message or a potentially malicious message:
    - quarantine the received message; and
      
      release the received message from quarantine only after determining that the received message is a legitimate message and receiving a user acknowledgment of the prompt.
  - 12. The system of claim 1, further comprising additional programming instructions that are configured to, in response to determining that the received message is a legitimate message, cause the client computing device to output a prompt for the user to confirm reporting of the received message.

13. A method of identifying and classifying a non-malicious messages in a cybersecurity reporting system, the method comprising:
- by a client computing device, receiving an electronic message via a communications network;
  
  by the client computing device, receiving a user notification that indicates that a user has reported the received message as a potentially malicious message;
  
  by the client computing device or a remote computing device, implementing programming instructions that cause that computing device to;
  
  determine whether the received message is a legitimate message or a potentially malicious message,in response to determining that the received message is a legitimate message, further analyzing the received message to assign a class from a set of available classes to the received message, wherein;
  
  the available classes comprise a simulated phishing message class, a trusted internal sender class, and a trusted external sender class, andthe assigned class is the simulated phishing message class, the trusted internal sender class, or the trusted external sender class, andin response to receiving the user notification and determining that the received message is a legitimate message, cause the client computing device to output a prompt to the user, wherein;
  
  the prompt indicates that the message is a legitimate message and is associated with the assigned class,if the assigned class is the simulated phishing message class, then the prompt confirms that the user has properly reported the received message, andif the assigned class is either of the trusted internal sender class or the trusted external sender class, then the prompt conveys that the user has improperly reported the received message as a potentially malicious message so as to train the user.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, wherein:
    - determining whether the received message is a legitimate message or a malicious message comprises;
      
      selecting a structural element of the received message,obtaining information corresponding to the structural element, andusing the obtained information to assign a trust value to the structural element; and
      
      causing the client device to output the prompt also comprises;
      
      presenting the user with the structural element and descriptive material corresponding to the obtained information, to train the user about how the structural element can help identify why the received message is a legitimate message.
  - 15. The method of claim 14, wherein selecting the structural element comprises receiving a selection of the structural element with the received user notification.
  - 16. The method of claim 14, wherein:
    - the structural element comprises a hyperlink; and
      
      obtaining information corresponding to the structural element comprises accessing a domain name registrar to retrieve information that indicates an age of a domain associated with the hyperlink.
  - 17. The method of claim 14, wherein:
    - the structural element comprises a hyperlink; and
      
      obtaining information corresponding to the structural element comprises;
      
      identifying a domain name registrar for a domain associated with the hyperlink,accessing a data set of known domain name registrars to identify whether the registrar is known to register malicious websites.
  - 18. The method of claim 14, wherein:
    - the structural element comprises a plurality of hyperlinks; and
      
      obtaining information corresponding to the structural element comprises determining a number of redirects associated with the plurality of hyperlinks.
  - 19. The method of claim 13, further comprising:
    - by a cybersecurity server, generating a plurality of simulated phishing messages and sending the simulated phishing messages to a client computing device;
      
      and wherein assigning the class to the received message comprises assigning the simulated phishing class to the received message if the client computing device determines that the received message is one of the simulated phishing messages generated by the cybersecurity server.
  - 20. The method of claim 19, wherein determining that the received message is one of the simulated phishing messages comprises:
    - determining whether any header field of a header section of the received message starts with a predetermined key;
      
      for any header field that starts with the predetermined key, further analyzing that header field to determine whether a value that follows the predetermined key satisfies a first trusted sender rule; and
      
      determining that the value that follows the predetermined key satisfies the first trusted sender rule.
  - 21. The method of claim 13, wherein:
    - assigning a class to the received message further comprises, before assigning the simulated phishing message class to any received message, requiring that the received message satisfies at least two trusted sender rules.
  - 22. The method of claim 21, wherein the at least two trusted sender rules comprise at least two of the following:
    - a condition that at least one header field of a header section of the received message start with a predetermined key, and for any header field that starts with the predetermined key, that header field also includes a value that is a known value or in a known format;
      
      a condition that any header field having a FROM fieldname include a value that is associated with a known sender;
      
      a condition that any header field having a domain name include a value that is associated with a known domain;
      
      ora condition that any header field having a FROM fieldname include a value that is associated with a known sender, and a condition that any header field having a domain name include a value that is associated with a known domain.
  - 23. The method of claim 13, further comprising, before determining whether the received message is a legitimate message or a potentially malicious message:
    - quarantining the received message; and
      
      releasing the received message from quarantine only after determining that the received message is a legitimate message and receiving a user acknowledgment of the prompt.
  - 24. The method of claim 13, further comprising, by the client computing in response to determining that the received message is a legitimate message, causing the client computing device to output a prompt for the user to confirm reporting of the received message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Wombat Security Technologies, Inc (Proofpoint Incorporated)
Inventors
Himler, Alan, Campbell, John T., Ferrara, Joseph A., Hawthorn, Trevor T., Sadeh-Koniecpol, Norman, Wescoe, Kurt
Primary Examiner(s)
Lesniewski, Victor

Application Number

US15/239,668
Time in Patent Office

405 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1433 Vulnerability analysis

H04L 63/1483 service impersonation, e.g....

Method and system for assessing and classifying reported potentially malicious messages in a cybersecurity system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for assessing and classifying reported potentially malicious messages in a cybersecurity system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links