30 results about "Phishing detection" patented technology

Systems and methods for analyzing electronic messages for phishing detection are disclosed. In one example embodiment, whether a received email message is a phishing message is determined based on the outcome of a comparison of a recipient background information to a email characteristic wherein the recipient background information is obtained from an online social network. In some embodiments, whether the received email message is a phishing message is determined by comparing a new received email message profile to an email characteristic profile to determine whether the new received email message profile is similar to the email characteristic profile. In some embodiments, whether the received email message is a phishing message is determined by comparing the email characteristics of the new received email message with pattern characteristics. In some embodiments, the determination is made by comparing a email characteristics of the received message with a historical email characteristic.

Various techniques are provided for detecting phishing attacks and notifying users of such attacks. In one example, a machine-implemented method can be provided for detecting a phishing attack over a computer network. A web page can be accessed and information associated with the web page can be processed. One or more conditions can be set in response to the processing. The conditions can be compared to a set of conditions indicative of a phishing attack. A user can then be informed of a potential phishing attack corresponding to the conditions through the display of an alert window and/or an icon. Such actions can also be performed in response to a user's selection of a link appearing in an email message. Appropriate systems and/or computer readable media incorporating these features can also be provided.

A phishing detection agent is provided. In one embodiment, a user's browser includes a plug-in application or agent that may capture a visual record of a webpage and, with a cached copy of known, authentic websites provided to it via periodic updates, perform a series of image comparison functions to determine if the suspected website is attempting to deceive the user. The phishing detection agent is capable of performing an image recognition algorithm, such as logo recognition algorithm, optical character recognition, an image similarity algorithm, or combination of two or more of the above. If the suspected webpage corresponds to one of the authentic web pages, but the domain name of the suspected web page does not match the domain name of one of the authentic web pages, the suspected web page is flagged as a phishing web site.

A method for detection of phishing attempts in received electronic mail messages includes retrieving the source code, displayed text, and a list of all specified addresses contained within the source code of a received electronic message. Visual character normalization is applied to each specified address to develop all possible address combinations and to form a normalized address list. The specified addresses are removed from the normalized address list to create a revised address list, upon which comparison tests are performed to determine if each address in the revised address list is from a valid source. The recipient of the electronic message is informed of any message found to be from an invalid source.

Systems and methods for use with a client device and a server provide interactive phishing detection at the initiation of the user. Detection of phishing is based on the user's comparison of a visual indicator sent from the server to the client device with a another identical looking visual indicator displayed, for example, on a trusted website. Several security measures may be employed such as changing the visual indicator periodically, generating the visual indicator in a random manner, and authenticating the client device to the server before the server will transmit the visual indicator to the client device. User comparison of the website-displayed visual indicator with the user's client device user interface-displayed visual indicator may facilitate user verification of authenticity of a software application.

System and method for automatically developing phishing detection rules. Based on detected phishing indicia, a quantitative score is computed for each of a plurality of predefined parameters, with each of the parameters relating to at least one of the phishing indicia. A requirement for evolving a phishing detection rule is assessed, and a new phishing detection rule is generated based on selected parameter scores meeting the rule evolution criteria and on corresponding content of the phishing indicia relating to those selected parameter scores. New phishing detection rules are applied recursively to detect phishing indicia, and more new rules can be further evolved in recursive fashion.

A computer-implemented method for detecting a phishing attempt by a given website is provided. The method includes receiving a webpage from the given website, which includes computer-readable code for the webpage. The method also includes ascertaining hyperlink references in the computer-readable code. Each hyperlink reference refers to at least a component of another webpage. The method further includes performing linking relationship analysis on at least a subset of websites identified to be referenced by the hyperlink references, which includes determining whether a first website is in a bi-directional/uni-directional linking relationship with the given website. The first website is one of the subset of websites. The method yet also includes, if the first website is in the bi-directional linking relationship, designating the given website a non-phishing website. The method yet further includes, if the first website is in the uni-directional linking relationship, performing anti-phishing measures with respect to the given website.

Systems and methods are provided for automatically detecting phishing attacks. Network traffic may be monitored to detected phishing attacks and/or identify phishing websites and/or target websites. The monitoring may comprise generating and analysing logs corresponding to the monitored network traffic, with the logs comprising network traffic events and/or information relating to requesting and responding addresses. The network traffic events used in detecting phishing attacks may comprise sequences each comprising one or more requests and responses. Requested websites may be identified as phishing websites based on event sequences meeting particular criteria. Components and/or functions utilized for monitoring the network traffic and/or automatic phishing detection based thereon may be implemented as parts of a browser and/or network routers utilized during typical and normal use operations.

The invention provides a network fishing detection method and an apparatus thereof. The method comprises the following steps: acquiring a suspected fishing host name matching a fishing object keyword; acquiring a fishing Uniform Resource Locator (URL) path corresponding to a fishing object; jointing the suspected fishing host name and the fishing URL path to form a suspected fishing URL; detecting the suspected fishing URL, and determining whether the suspected fishing URL is a fishing URL or not. According to an embodiment of the invention, through a technique of actively acquiring the suspected fishing host name matching the fishing object keyword and the fishing URL path corresponding to the fishing object, jointing them to form the suspected fishing URL, detecting the suspected fishing URL, and determining whether the suspected fishing URL is a fishing URL or not, a problem that in the prior art passive detection triggered by a user can not deal with more and more rampant and general fishing attack is overcome, early discovery of a fishing website is realized, and fishing website detection efficiency is raised.

The present disclosure provides phishing heuristic systems and methods that detect phishing sites. The present invention may be implemented via a server connected to the Internet, via a distributed security system, and the like. Phishing sites may be detected in a single transaction, i.e. client request plus server reply, while knowing as little as possible about the site being masqueraded. In an exemplary embodiment, a phishing site detection system and method utilized three steps—whitelisting, blacklisting, and scoring. For example, if a particular page meets all requirements of blacklisting without any elements of whitelisting and has a score over a particular threshold, that particular site may be designated as a phishing page.

A system and method exploit information gained by observing abnormal commonality factors from multiple accounts over a predetermined time frame. The presence of an abnormal commonality factor serves as an indication that a group of accounts may have been compromised by a common actor via information gained by successful phishing of multiple users' information to improperly gain access to their respective accounts. Once this commonality associated with phishing is detected, the system provides a mechanism and process to rapidly respond to the phishing-originated attack to minimize information security damage to the affected accounts.

The invention provides a phishing website detection method excavated based on a network group. The phishing website detection method includes constructing a webpage set related to a given iffy webpage by using a crawler, then obtaining an iffy website and a potential target website thereof, furthermore calculating website feature signatures, and judging whether the iffy website is a phishing website or not through similarity calculations of the website feature signatures, if yes, returning to the target website thereof. The purpose of the phishing website detection method is detecting whether the website which the iffy webpage is located in is the phishing website so as to find the target website of the phishing website when detection is finished. The process of phishing detection is the process of finding the target website, and due to the fact that the iffy website is only calculated with the related potential target website for similarity, comparisons of the iffy website with irrelevant legal websites in internet are reduced, phishing detection efficiency is improved, resources are saved effectively, and work efficiency is improved.

The invention discloses a network fishing detection method based on a douche group algorithm support vector machine. The method comprises the following steps of firstly, initializing basic parametersof the douche group algorithm, including population number, iteration times, individual dimension and search space; randomly initializing the position and range of the individual; and then dividing into leader vessel sea sheaths and follower vessel sea sheaths according to the magnitude of the fitness value, and excavating the optimal parameters of the support vector machine by using the coordination and cooperation of the two vessel sea sheaths. In each iteration, the function for evaluating the fitness value of the individual is the detection accuracy of the parameter carried by the individual on the phishing website data set by the support vector machine. Compared with the common optimization algorithms such as a genetic algorithm, a gravitation search algorithm, a bat algorithm and a particle swarm algorithm, the optimal parameter parameters of the support vector machine can be mined as much as possible on the optimized support vector machine, and the fishing detection accuracy ofthe support vector machine is improved.

Methods and systems for detecting a phishing attack on a computer device can involve scanning one or more email messages, and separating email parts from the one or more email messages, in response to scanning the at least one email message. In addition, the email parts of the at least one email message can be subject to a feature extraction operation. The email features extracted from the email parts can be then analyzed to determine whether or not any of the email features contain suspected phishing content, confirmed phishing content and benign email content.

Systems and methods include obtaining a Uniform Resource Locator (URL) for a site on the Internet; analyzing the URL with a Machine Learning (ML) model to determine whether or not the site is suspicious for phishing; responsive to the URL being suspicious for phishing, loading the site to determine whether or not an associated brand of the site is legitimate or not; and, responsive to the site being not legitimate for the brand, categorizing the URL for phishing and performing a first action based thereon. The systems and methods can further include, responsive to the URL being not suspicious for phishing or the site being legitimate for the brand, categorizing the URL as legitimate and performing a second action based thereon.

A computer implemented method of detecting a phishing threat using a pre-defined statistical model to determine whether a network resource is a potential phishing threat based on features extracted from a network resource identifier for the network resource. The method includes: receiving a request to access a network resource; determining, from the request, a network resource identifier for the requested network resource; extracting one or more features from the network resource identifier; applying the pre-defined statistical model to the extracted features; and classifying the network resource as a phishing threat if the output of the statistical model, when applied to the extracted features, determines that the network resource is a potential phishing threat.

Computerized methods and systems receive, from a web client of a client device, a request, addressed to a web server, to retrieve a requested web resource hosted by the web server. An initial reputation associated with the requested web resource is determined. A user of the client device is prompted to respond to at least one generated query corresponding to the requested web resource, in response to the determined initial reputation. At least one response to the at least one generated query is received from the user. The initial reputation associated with the requested web resource is updated, based in part on the at least one response to the at least one generated query received from the user.

An email phishing detection mechanism is provided that utilizes machine learning algorithms. The machine learning algorithms are trained on phishing and non-phishing features extracted from a variety of data sets. Embodiments extract embedded URL-based and email body text-based feature sets for training and testing the machine learning algorithms. Embodiments determine the presence of a phishing message through a combination of examining an embedded URL and the body text of the message for the learned feature sets.

The invention discloses a malicious advertisement attack detection method. URL information in a to-be-detected website is extracted by utilizing an open-source crawler Nutch; compared with a commercial search engine, the Nutch can grab billions of web pages per month and provide high-quality retrieval results; only URL links related to advertisements are extracted in URL extraction; the detection efficiency can be improved; phishing detection is realized through a Google Safe Browser API; a to-be-detected URL is sent to the API for performing verification; whether the URL is secure or not can be judged according to response information; a library is realized by Google search and an international anti-phishing union, is very huge in scale and can detect a large amount of attack behaviors; for an attack URL confirmed by the API, the URL needs to be extracted from a to-be-detected set and information of the URL is recorded in a log file; the log record of the URL information is realized through Log4j; a flexible record way is provided; an output position, an output format and a log level of a log can be configured separately; malicious advertisement attack behaviors detected in log analysis are displayed in the form of a pie chart and a bar chart, so that a detection result can be vividly displayed; and the detection method is complete in rule, is based on a client, and not only realizes unified detection of malicious advertisement attacks but also has a good detection effect.