Systems and methods for performing or creating simulated phishing attacks and phishing attack campaigns
US-9894092-B2 · Feb 13, 2018 · US
Systems and methods for using attribute data for system protection and security awareness training
US11295010B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11295010-B2 |
| Application number | US-202016851914-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 17, 2020 |
| Priority date | Jul 31, 2017 |
| Publication date | Apr 5, 2022 |
| Grant date | Apr 5, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The present disclosure describes a system for saving metadata on files and using attribute data files inside a computing system to enhance the ability to provide user interfaces based on actions associated with non-executable attachments like text and document files from untrusted emails, to block execution of potentially harmful executable object downloads and files based on geographic location, and to a create a prompt for users to decide whether to continue execution of potentially harmful executable object downloads and files. The system also records user behavior on reactions to suspicious applications and documents by transmitting a set of attribute data in an attribute data file corresponding to suspicious applications or documents to a server. The system interrupts execution of actions related to untrusted phishing emails in order to give users a choice on whether to proceed with actions.
First claim
Opening claim text (preview).
We claim: 1. A method for alerting of access to a file based on attribute data, the method comprising: intercepting, by a document filter injected into a launched application executing on a client device, a call of the application to open an executable file of the application; resolving, by the document filter, a name of the executable file based on a process identifier of the launched application; identifying, by the document filter, the name of the file, by using an attribute data file of the file, the attribute data file including a set of attribute data; accessing, by the document filter, the set of attribute data and corresponding values from the attribute data file; identifying, by the document filter, one or more rules to be applied to the set of attribute data to determine whether or not the launched application is suspicious; applying, by the document filter, the one or more rules to values of the set of attribute data; determining, responsive to the application of the one or more rules, that the launched application is suspicious; and displaying a prompt identifying that the launched application is suspicious. 2. The method of claim 1 , wherein the attribute data file comprises one of a master file table or an alternate data stream. 3. The method of claim 1 , further comprising preventing, by the document filter, opening of the file. 4. The method of claim 1 , wherein the set of attribute data identifies a domain of where the files were created and application of the one or more rules determines that the domain of the client device is different than the domain identified in the set of attribute data. 5. The method of claim 1 , wherein the set of attribute data identifies a user that created the file and application of the one or more rules determines that the user that logged into the client device is different than the user identified in the set of attribute data. 6. The method of claim 1 , further comprising displaying, by the document filter, the prompt. 7. A system for alerting of access to a file based on attribute data, the system comprising: one or more processors, coupled to memory; a document filter executable on the one or more processors and configured to be injected into a launched application executing on the one or more processors, wherein the document filter is configured to: intercept a call of the launched application to open an executable file of the application; resolve a name of the executable file based on a process identifier of the launched application; identify the name of the file, by using an attribute data file of the file, the attribute data file including a set of attribute data; access the set of attribute data and corresponding values from the attribute data file; identify one or more rules to be applied to the set of attribute data to determine whether or not the launched application is suspicious; apply the one or more rules to values of the set of attribute data; determine responsive to the application of the one or more rules, that the launched application is suspicious; and wherein the one or more processors are configured to display a prompt identifying that the launched application is suspicious. 8. The system of claim 7 , wherein the attribute data file comprises one of a master file table or an alternate data stream. 9. The system of claim 7 , further comprising preventing, by the document filter, opening of the file. 10. The system of claim 7 , wherein the set of attribute data identifies a domain of where the files were created and application of the one or more rules determines that the domain of the client device is different than the domain identified in the set of attribute data. 11. The system of claim 7 , wherein the set of attribute data identifies a user that created the file and application of the one or more rules determines that the user that logged into the client device is different than the user identified in the set of attribute data. 12. The system of claim 7 , wherein the document filter is further configured to display the prompt. 13. A method for alerting of a launch of a suspicious application, the method comprising: (a) resolving, by a process filter service executing on a client device, a name of an executable file of the application based on a process identifier of a launched application; (b) identifying, by the process filter service using the name of the file, an attribute data file of the application; (c) accessing, by the process filter service, a set of attribute data and corresponding values from the attribute data file; (d) identifying, by the process filter service, one or more rules to be applied to the set of attribute data to determine whether or not the launched application is suspicious; (e) applying, by the process filter service, the one or more rules to values of the set of attribute data; (f) determining, responsive to the application of the one or more rules, that the launched application is suspicious; and (g) displaying a prompt, responsive to the determination, identifying that the launched application is suspicious. 14. The method of claim 13 , further comprising preventing, by the process filter service, the launched application from continuing to execute. 15. The method of claim 13 , further comprising displaying with the prompt a user interface element for a user to select whether to terminate or continue to execute the launched application. 16. The method of claim 15 , further comprising the process filter service terminating or continuing to allow the launched application to execute responsive to the selection. 17. The method of claim 13 , further comprising identifying from the attribute data file of the application one or more of the following attribute data: domain name, user name, subnet, machine unique ID, time zone and a source tag marking if copied from an external storage. 18. A system for alerting of a launch of a suspicious application, the system comprising: one or more processors, coupled to memory; a process filter service executable on the one or more processors and configured to: resolve a name of an executable file of the application based on a process identifier of a launched application; identify using the name of the file an attribute data file of the application; access a set of attribute data and corresponding values from the attribute data file; identify one or more rules to be applied to the set of attribute data to determine whether or not the launched application is suspicious; apply the one or more rules to values of the set of attribute data; determine, responsive to the application of the one or more rules, that the launched application is suspicious; and display a prompt, responsive to the determination, identifying that the launched application is suspicious. 19. The system of claim 18 , further comprising preventing, by the process filter service, the launched application from continuing to execute. 20. The system of claim 18 , further comprising displaying with the prompt a user interface element for a user to select whether to terminate or continue to execute the launched application.
Assignees
Inventors
Classifications
Monitoring of software · CPC title
monitoring of user actions (tracking the activity of the user H04L67/535) · CPC title
Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs · CPC title
- H04L63/1483Primary
service impersonation, e.g. phishing, pharming or web spoofing (detection of rogue wireless access points H04W12/12) · CPC title
at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11295010B2 cover?
- The present disclosure describes a system for saving metadata on files and using attribute data files inside a computing system to enhance the ability to provide user interfaces based on actions associated with non-executable attachments like text and document files from untrusted emails, to block execution of potentially harmful executable object downloads and files based on geographic locatio…
- Who is the assignee on this patent?
- Knowbe4 Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1483. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 05 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).