Evaluation using similarity score for pairwise feature sets
US-11195217-B2 · Dec 7, 2021 · US
Email security based on display name and address
US11700234B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11700234-B2 |
| Application number | US-202117213657-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 26, 2021 |
| Priority date | Jan 26, 2021 |
| Publication date | Jul 11, 2023 |
| Grant date | Jul 11, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are described for detecting attacks that employ a display name in an email to impersonate an email sender. A computing infrastructure hosting an email security platform may determine a similarity between the display name and an email address from which the email was received. The email security platform may determine the similarity by comparing a string associated with the display name and a string associated with the sender address. The email security platform may generate a similarity value based on a result of the display name being compared with the sender address. The email security platform may determine that the email includes the display name impersonating a name of the sender, based on the similarity value meeting or exceeding a threshold value indicative of impersonation. The email security platform may delete or quarantine the email from an inbox associated with a user account.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving an email for a user account registered with an email service; extracting, from the email, a sender name and a sender address associated with a sender of the email; comparing, by an email security platform, the sender name with the sender address; generating, by the email security platform, a similarity value based on a result of the sender name being compared with the sender address; determining, by the email security platform, that the email comprises the sender name impersonating a name of the sender, based on the similarity value meeting or exceeding a threshold value indicative of impersonation; and deleting or quarantining the email from an inbox associated with the user account, based on the similarity value meeting or exceeding the threshold value, wherein the similarity value is based on first characters in a first string associated with the sender name, second characters in a second string associated with the sender address, and one or more third consecutive characters in a first substring of the first string being determined to match one or more fourth consecutive characters in a second substring of the second string, the first substring being a same length as the second substring. 2. The method of claim 1 , further comprising: removing, based on a security policy, punctuation and a top-level domain (TLD) from the sender address to create a modified sender address as a replacement for the sender address, wherein comparing the sender name further comprises comparing the sender name with the modified sender address. 3. The method of claim 1 , further comprising: generating, based on a security policy, an acronym associated with the sender name; comparing the acronym with the sender address; and generating a second similarity value based on a result of the acronym being compared with the sender address. 4. The method of claim 1 , wherein determining whether the email comprises the sender name impersonating the name of the sender further comprises: determining a difference between the similarity value and the threshold value; normalizing and scaling the difference, as a modified difference; and determining a confidence score associated with the modified difference, and wherein deleting or quarantining the email is further based on the confidence score. 5. The method of claim 1 , wherein: the sender name is compared with the sender address, based on an algorithm applied to the first string associated with the sender name and the second string associated with the sender address; and the algorithm is a longest common substring (LCS) algorithm. 6. The method of claim 1 , further comprising: removing, by the email security platform and based on a security policy, punctuation and a top-level domain (TLD) from the sender address to create a modified sender address as a replacement for the sender address, wherein comparing the sender name with the sender address further comprises comparing the sender name with the modified sender address, wherein generating the similarity value further comprises generating a modified similarity value based on a second result of the sender name being compared with the modified sender address, and wherein determining whether the email comprises the sender name impersonating the name of the sender further comprises: determining whether the email comprises the sender name impersonating the name of the sender, based on the modified similarity value meeting or exceeding the threshold value indicative of impersonation; and determining that the email is malicious, based on a similarity between the sender name and the name of the sender, notwithstanding the email being received without any attachment or link. 7. The method of claim 1 , wherein: the user account is associated with a first domain name of a first party; the sender name is associated with a name in a registry or list of names associated with the first party; and the sender address comprises a second domain name of a second party being different than the first party. 8. The method of claim 1 , wherein: the sender name is compared with the sender address, based on an algorithm applied to a first string associated with the sender name and a second string associated with the sender address; and the algorithm is a longest common substring (LCS) algorithm. 9. A system comprising: one or more hardware processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more hardware processors, cause the one or more hardware processors to perform operations comprising: receiving an email for a user account registered with an email service, the user account being associated with a first domain name of a first party; extracting, from the email, a sender name and a sender address associated with a sender of the email, the sender name being associated with a name in a registry or list of names associated with the first party; comparing, by an email security platform, the sender name with the sender address, the sender address comprising a second domain name of a second party being different than the first party; generating, by the email security platform, a similarity value based on a result of the sender name being compared with the sender address; determining, by the email security platform, that the email comprises the sender name impersonating a name of the sender, based on the similarity value meeting or exceeding a threshold value indicative of impersonation; and deleting or quarantining the email from an inbox associated with the user account, based on the similarity value meeting or exceeding the threshold value. 10. The system of claim 9 , the operations further comprising: removing, based on a security policy, punctuation and a top-level domain (TLD) from the sender address to create a modified sender address as a replacement for the sender address, wherein comparing the sender name further comprises comparing the sender name with the modified sender address. 11. The system of claim 9 , the operations further comprising: generating, based on a security policy, an acronym associated with the sender name; comparing the acronym with the sender address; and generating a second similarity value based on a result of the acronym being compared with the sender address. 12. The system of claim 9 , wherein the similarity value is based on first characters in a first string associated with the sender name, second characters in a second string associated with the sender address, and one or more third consecutive characters in a first substring of the first string being determined to match one or more fourth consecutive characters in a second substring of the second string, the first substring being a same length as the second substring. 13. The system of claim 9 , wherein determining whether the email comprises the sender name impersonating the name of the sender further comprises: determining a difference between the similarity value and the threshold value; normalizing and scaling the difference, as a modified difference; and determining a confidence score associated with the modified difference, and wherein deleting or quarantining the email is further based on the confidence score. 14. The system of claim 9 , wherein: the sender name is compared with the sender address, based on an algorithm applied to a first string associated with the sender name and a second string associated with the sender address; and the algorithm is a longest common substring (LCS) alg
Assignees
Inventors
Classifications
- H04L63/0236Primary
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
- H04L51/212Primary
using filtering or selective blocking · CPC title
Message addressing, e.g. address format or anonymous messages, aliases · CPC title
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11700234B2 cover?
- Techniques are described for detecting attacks that employ a display name in an email to impersonate an email sender. A computing infrastructure hosting an email security platform may determine a similarity between the display name and an email address from which the email was received. The email security platform may determine the similarity by comparing a string associated with the display na…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0236. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 11 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).