System and method for detecting phishing using password prediction
First Claim
1. A computer-implemented method for detecting phishing activity by determining a password used to decrypt an attachment of a communication message that is intended to be decrypted by a recipient of the communication message, the method comprising:
- in response to a communication message having an encrypted attachment, parsing content of the communication message and predicting a password candidate within a non-encrypted portion of the communication message by identifying a pattern of the content operating as a reference point in predicting the password candidate, wherein the pattern being one or more words and the predicted password candidate being (i) different than and distinct from the pattern and (ii) determined, at least in part, as a portion of the content that is within a predetermined number of words prior to or after the pattern of the content within the non-encrypted portion of the communication message;
attempting to decrypt the encrypted attachment using the predicted password candidate to generate a decrypted attachment; and
in response to decrypting the encrypted attachment using the predicted password candidate, performing a malicious content analysis on the decrypted attachment to determine a likelihood of the decrypted attachment containing malicious content, the malicious content analysis includes (i) determining whether data within the decrypted attachment exhibits characteristics associated with malware and (ii) processing the data within one or more virtual machines and observing behaviors occurring within the one or more virtual machines.
6 Assignments
0 Petitions
Accused Products
Abstract
Phishing detection techniques for predicting a password for decrypting an attachment for the purpose of malicious content detection are described herein. According to one embodiment, in response to a communication message, as such an electronic mail (email) message having an encrypted attachment, content of the communication message is parsed to predict a password based on a pattern of the content. The encrypted attachment is then decrypted using the predicted password to generate a decrypted attachment. Thereafter, a malicious content analysis is performed on the decrypted attachment to determine a likelihood as to whether the decrypted attachment contains malicious content.
463 Citations
31 Claims
-
1. A computer-implemented method for detecting phishing activity by determining a password used to decrypt an attachment of a communication message that is intended to be decrypted by a recipient of the communication message, the method comprising:
-
in response to a communication message having an encrypted attachment, parsing content of the communication message and predicting a password candidate within a non-encrypted portion of the communication message by identifying a pattern of the content operating as a reference point in predicting the password candidate, wherein the pattern being one or more words and the predicted password candidate being (i) different than and distinct from the pattern and (ii) determined, at least in part, as a portion of the content that is within a predetermined number of words prior to or after the pattern of the content within the non-encrypted portion of the communication message; attempting to decrypt the encrypted attachment using the predicted password candidate to generate a decrypted attachment; and in response to decrypting the encrypted attachment using the predicted password candidate, performing a malicious content analysis on the decrypted attachment to determine a likelihood of the decrypted attachment containing malicious content, the malicious content analysis includes (i) determining whether data within the decrypted attachment exhibits characteristics associated with malware and (ii) processing the data within one or more virtual machines and observing behaviors occurring within the one or more virtual machines. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory machine-readable storage medium including instructions stored therein, which when executed by a processor, cause the processor to perform a method of detecting phishing activity by determining a password candidate used to decrypt an attachment of a communication message that is intended to be decrypted by a recipient of the communication message, comprising:
-
in response to the communication message having an encrypted attachment, parsing content of the communication message to predict the password candidate within a non-encrypted portion of the communication message by identifying a pattern of the content operating as a reference point in predicting the password candidate, wherein the pattern being one or more words and the predicted password candidate being (i) different than and distinct from the pattern and (ii) determined, at least in part, as a portion of the content that is within a predetermined number of words prior to or after the pattern of the content within the non-encrypted portion of the communication message; attempting to decrypt the encrypted attachment using the predicted password candidate to generate a decrypted attachment; and in response to decrypting the encrypted attachment using the predicted password candidate, performing a malicious content analysis on the decrypted attachment to determine whether the decrypted attachment likely contains malicious content, the malicious content analysis includes (i) determining whether data within the decrypted attachment exhibits characteristics associated with malware and (ii) processing the data within one or more virtual machines and observing behaviors occurring within the one or more virtual machines. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A data processing system for detecting phishing activity, comprising:
-
a password predictor, in response to a communication message having an encrypted attachment, to parse content of the communication message to predict a password candidate within a non-encrypted portion of the communication message by identifying a pattern within the content that operates as a reference point in predicting the password candidate, wherein the pattern being one or more words and the predicted password candidate being (i) different than and distinct from the pattern and (ii) determined, at least in part, as a portion of the content that is within a predetermined number of words prior to or after the pattern of the content within the non-encrypted portion of the communication message; an attachment processing module to attempt to decrypt the encrypted attachment using the predicted password candidate to generate a decrypted attachment; and a content analysis module, in response to decrypting the encrypted attachment using the predicted password candidate, to perform a malicious content analysis on the decrypted attachment to determine whether the decrypted attachment likely contains malicious content, the malicious content analysis includes (i) determining whether data within the decrypted attachment exhibits characteristics associated with malware and (ii) processing the data within one or more virtual machines and observing behaviors occurring within the one or more virtual machines. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A server comprising:
-
a processor; and a memory coupled to the processor, the memory includes a plurality of modules that are executed by the processor, the plurality of modules comprise; a password predictor configured to detect phishing activity for a communication message having an encrypted attachment upon predicting a password candidate from information within a non-encrypted portion of the communication message, wherein the predicting of the password candidate comprising (i) recognizing a text string pattern within content of the non-encrypted portion of the communication message and (ii) responsive to recognizing the text string pattern, extracting a string of characters that are consecutive characters at least a predetermined number of words or characters prior to or after the recognized text string pattern and distinct from the recognized text string pattern and part of the information within a non-encrypted portion of the communication message as the predicted password candidate; an attachment processing module to attempt to decrypt the encrypted attachment using the predicted password candidate to generate a decrypted attachment; and a content analysis module, in response to decrypting the encrypted attachment using the predicted password candidate, to perform a malicious content analysis on the decrypted attachment to determine a likelihood of whether the decrypted attachment is associated with phishing activity by including malicious content, the malicious content analysis includes (i) determining whether data within the decrypted attachment exhibits characteristics associated with malware and (ii) processing the data within one or more virtual machines and observing behaviors occurring within the one or more virtual machines, wherein the password predictor and the attachment processing module to extract a second string of characters at most a predetermined distance in characters prior to or after the recognized text string pattern for use as a second predicted password candidate if the attachment processing module is unable to decrypt the encrypted attachment using the predicted password candidate.
-
Specification