What technology area does this patent fall under?

Primary CPC classification H04L63/20. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Dec 17 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Automated mitigation of electronic message based security threats

US10511637B2 · US · B2

Patent metadata
Field	Value
Publication number	US-10511637-B2
Application number	US-201816192206-A
Country	US
Kind code	B2
Filing date	Nov 15, 2018
Priority date	Oct 2, 2017
Publication date	Dec 17, 2019
Grant date	Dec 17, 2019

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

An example embodiment may include a security enforcement point device disposed within a managed network and a security decision point device disposed within a computational instance of a remote network management platform. The security decision point device may be configured to: receive a message by way of the managed network; parse the message to identify observable indicators of one or more of the security threats, where the observable indicators include at least one of a network addresses, a hyperlink, or a representation of an attached file; remotely query a security threat database for the observable indicators; receive, from the security threat database, an indication that the observable indicators are associated with a particular security threat, and transmit, to the security enforcement point device, a command to update its associated security policy such that the particular security threat is mitigated.

First claim

Opening claim text (preview).

What is claimed is: 1. A system configured to detect and mitigate phishing attacks for, a network, the system comprising: an email server device having a spam filter configured to apply one or more filtering rules to a message sent to one or more client devices associated with the network; and a security decision point application configured to: receive the message from the email server device, wherein the message was not classified as spam by the spam filter but suspected to be a phishing attack; parse the message for an observable indicator of the phishing attack; query a security threat database for the observable indicator, wherein the security threat database is configured to determine whether the observable indicator is associated with known phishing attacks; receive a result of the determination from the security threat database; and in response to the result indicating that the observable indicator is not associated with the known phishing attacks, transmit an update to the warn filter to classify a future message having the observable indicator as spam. 2. The system of claim 1 , wherein the security decision point application is configured to transmit an additional update to the email server device to block the future message having the observable indicator in response to the result indicating that the observable indicator is associated with the known phishing attacks. 3. The system of claim 1 , wherein the observable indicator comprises a network address, a hyperlink, a representation of an attached file, a sender name, or a recipient name. 4. The system of claim 3 , wherein the representation of the attached file is a hash computed by applying a one-way function to the attached file. 5. The system of claim 1 , wherein the security threat database comprises one or more feature vectors representing an array of known observable indicators associated with the known phishing attacks, and wherein the security threat database is configured to determine whether the observable indicator is associated with the known phishing attacks by comparing the observable indicator to the one or more feature vectors. 6. The system of claim 1 , wherein the security decision point application is configured to: receive, from a computing device, a query for a particular observable indicator; determine whether the particular observable indicator is maintained in the security threat database; and based upon a determination that the particular observable indicator is maintained in the security threat database, transmit, to the computing device for display, information representing one or more configuration items that received at least one message having the particular observable indicator. 7. The system of claim 1 , wherein the message comprises an email message, a short message service (SMS) message, an instant messaging (IM) message, or a group chat message. 8. The system of claim 1 , wherein the message comprises an email message having an attached file, and wherein the security decision point application is configured to: query the email server device to determine a number of times that the attached file has been received by the email server device, a number of email accounts to which the attached file was delivered, the email accounts to which the attached file was delivered, or any combination thereof. 9. A method comprising: receiving, by a security decision point application, a message from an email server device having a spam filter, wherein the message was not classified as spam by the spam filter but suspected to be a phishing attack; parsing, by the security decision point application, the message for an observable indicator of a phishing attack; querying, by the security decision point application, a security threat database for the observable indicator, wherein the security threat database is configured to determine whether the observable indicator is associated with known phishing attacks; receiving, by the security decision point application, a result of the determination from the security threat database; and in response to the result indicating that the observable indicator is not associated with the known phishing attacks, transmitting, by the security point application, an update to the spam filter to classify a future message having the observable indicator as spam. 10. The method of claim 9 , comprising transmitting, by the security point application, an additional update to the email server device to block the future message having the observable indicator in response to the result indicating that the observable indicator is associated with the known phishing attacks. 11. The method of claim 9 , wherein the observable indicator comprises a network address, a hyperlink, a representation of an attached file, a sender name, or a recipient name. 12. The method of claim 11 , wherein the representation of the attached file is a hash computed by applying a one-way function to the attached file. 13. The method of claim 9 , wherein the security threat database comprises one or more feature vectors representing an array of known observable indicators associated with the known phishing attacks, and wherein the security threat database is configured to determine whether the observable indicator is associated with the known phishing attacks by comparing the observable indicator to the one or more feature vectors. 14. The method of claim 9 , further comprising: receiving, by the security decision point application from a computing device, a query for a particular observable indicator; determining, by the security decision point application, whether the particular observable indicator is maintained in the security threat database; and based upon a determination that the particular observable indicator is maintained in the security threat database, transmitting, by the security decision point application to the computing device for display, information representing one or more configuration items that received at least one message having the particular observable indicator. 15. The method of claim 9 , wherein the message comprises an email message, a short message service (SMS) message, an instant messaging (IM) message, or a group chat message. 16. The method of claim 9 , wherein the message comprises an email message having an attached file, and the method comprising: querying, by the security decision point application, the entail server device to determine a number of times that the attached file has been received by the email server device, a number of email accounts to which the attached file was delivered, the email accounts to which the attached file was delivered, or any combination thereof. 17. A tangible, non-transitory computer-readable medium, comprising instructions that, when executed by one or more processors, cause the one or more processors to: receive a message from an email server device having a spam filter, wherein the message was not classified as spam by the spam filter but suspected to be a phishing attack; parse the message for an observable indicator of a phishing attack; query a security threat database for the observable, indicator, wherein the security threat database is configured to determine whether the observable indicator is associated with known phishing attacks; receive, a result of the determination from the security threat database; and in response to the result indicating that the observable indicator is not associated with the known phishing attacks, transmit an update to the spam filter to classify a future message havin

Assignees

Servicenow Inc

Inventors

Classifications

G06F21/56
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
G06F16/951
Indexing; Web crawling techniques · CPC title
H04L63/0281
Proxies · CPC title
H04L63/145
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
H04L63/1483
service impersonation, e.g. phishing, pharming or web spoofing (detection of rogue wireless access points H04W12/12) · CPC title

Patent family

Related publications grouped by family.

View patent family 60997264

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US10511637B2 cover?: An example embodiment may include a security enforcement point device disposed within a managed network and a security decision point device disposed within a computational instance of a remote network management platform. The security decision point device may be configured to: receive a message by way of the managed network; parse the message to identify observable indicators of one or more o…
Who is the assignee on this patent?: Servicenow Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Dec 17 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).