System and method of comparative evaluation for phishing mitigation
US-2017331848-A1 · Nov 16, 2017 · US
Systems and methods for using attribute data for system protection and security awareness training
US11847208B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11847208-B2 |
| Application number | US-202217712276-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 4, 2022 |
| Priority date | Jul 31, 2017 |
| Publication date | Dec 19, 2023 |
| Grant date | Dec 19, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The present disclosure describes a system for saving metadata on files and using attribute data files inside a computing system to enhance the ability to provide user interfaces based on actions associated with non-executable attachments like text and document files from untrusted emails, to block execution of potentially harmful executable object downloads and files based on geographic location, and to a create a prompt for users to decide whether to continue execution of potentially harmful executable object downloads and files. The system also records user behavior on reactions to suspicious applications and documents by transmitting a set of attribute data in an attribute data file corresponding to suspicious applications or documents to a server. The system interrupts execution of actions related to untrusted phishing emails in order to give users a choice on whether to proceed with actions.
First claim
Opening claim text (preview).
We claim: 1. A method comprising: identifying, by one or more processors, a name of an executable file of a launched application using a process identifier of the launched application; accessing, by the one or more processors, a set of attribute data from a data file, the data file identified for the executable file using the name of the executable file; determining, by the one or more processors, that the launched application is suspicious responsive to one or more rules being applied to one or more attributes of the set of attribute data; displaying, by the one or more processors responsive to determining that the launched application is suspicious, a prompt to allow a user to select whether to terminate execution of the launched application or to continue execution of the launched application; and causing, by the one or more processors responsive to receiving a selection from the user, the launched application to terminate or continue execution. 2. The method of claim 1 , further comprising intercepting, by the one or more processors, a call of the launched application to access the executable file. 3. The method of claim 2 , further comprising intercepting by a filter injected into the launched application, the call of the launched application to access the executable file. 4. The method of claim 1 , further comprising preventing, by the one or more processors, the launched application to continue to execute responsive to the determination. 5. The method of claim 1 , further comprising accessing, by the one or more processors, from the data file of the launched application, the one or more attributes comprising one or more of: a domain name, a user name, a subnet, a machine unique identifier and a time zone. 6. The method of claim 1 , further comprising identifying, by the one or more processors, the one or more rules to apply to the set of attribute data. 7. The method of claim 1 , further comprising applying, by the one or more processors, the one or more rules to one or more values of the one or more attributes. 8. The method of claim 1 , wherein the data file comprises one of a master file table or an alternate data stream. 9. The method of claim 1 , further comprising displaying, by the one or more processors, the prompt to identify that the launched application has been identified as suspicious. 10. The method of claim 1 , further comprising preventing, by the one or more processors responsive to the determination, opening of any file by the launched application. 11. A system comprising: one or more processors, coupled to memory and configured to: identify a name of an executable file of a launched application using a process identifier of the launched application; access a set of attribute data from a data file, the data file identified for the executable file using the name of the executable file; determine that the launched application is suspicious responsive to one or more rules being applied to one or more attributes of the set of attribute data; display, responsive to determining that the launched application is suspicious, a prompt to allow a user to select whether to terminate execution of the launched application or to continue execution of the launched application; and cause, responsive to receiving a selection from the user, the launched application to terminate or continue execution. 12. The system of claim 11 , wherein the one or more processors are further configured to intercept a call of the launched application to access the executable file. 13. The system of claim 12 , wherein the one or more processors are further configured to intercept the call of the launched application to access the executable file using a filter injected into the launched application. 14. The system of claim 11 , wherein the one or more processors are further configured to prevent the launched application to continue to execute responsive to the determination. 15. The system of claim 11 , wherein the one or more processors are further configured to access, from the data file of the launched application, the one or more attributes comprising one or more of: a domain name, a user name, a subnet, a machine unique identifier and a time zone. 16. The system of claim 11 , wherein the one or more processors are further configured to identify the one or more rules to apply to the set of attribute data. 17. The system of claim 11 , wherein the one or more processors are further configured to apply the one or more rules to one or more values of the one or more attributes. 18. The system of claim 11 , wherein the data file comprises one of a master file table or an alternate data stream. 19. The system of claim 11 , wherein the one or more processors are further configured to display the prompt to identify that the launched application has been identified as suspicious. 20. The system of claim 11 , wherein the one or more processors are further configured to prevent, responsive to the determination, opening of any file by the launched application.
Assignees
Inventors
Classifications
- G06F21/54Primary
by adding security routines or objects to programs · CPC title
for performance assessment · CPC title
monitoring of user actions (tracking the activity of the user H04L67/535) · CPC title
Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs · CPC title
at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11847208B2 cover?
- The present disclosure describes a system for saving metadata on files and using attribute data files inside a computing system to enhance the ability to provide user interfaces based on actions associated with non-executable attachments like text and document files from untrusted emails, to block execution of potentially harmful executable object downloads and files based on geographic locatio…
- Who is the assignee on this patent?
- Knowbe4 Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/54. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 19 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).