What technology area does this patent fall under?

Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Aug 15 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Systems and methods for detecting suspicious internet addresses

US9736178B1 · US · B1

Patent metadata
Field	Value
Publication number	US-9736178-B1
Application number	US-201615090775-A
Country	US
Kind code	B1
Filing date	Apr 5, 2016
Priority date	Jul 7, 2014
Publication date	Aug 15, 2017
Grant date	Aug 15, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

The disclosed computer-implemented method for detecting suspicious Internet addresses may include (1) monitoring Internet communications of an entity (e.g., an organization or individual), (2) compiling an Internet-address history for the entity that includes one or more Internet addresses involved in the Internet communications of the entity, (3) detecting, after compiling the Internet-address history for the entity, an additional Internet address that may be used in future Internet communications involving the entity, (4) computing a similarity metric between the additional Internet address and at least one Internet-address in the Internet-address history, (5) determining that the similarity metric indicates that the additional Internet address is suspicious, and (6) performing a security action in response to determining that the similarity metric indicates that the additional Internet address is suspicious. Various other methods, systems, and computer-readable media are also disclosed.

First claim

Opening claim text (preview).

What is claimed is: 1. A computer-implemented method for detecting suspicious Internet addresses, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: monitoring Internet communications of an entity; compiling an Internet-address history for the entity that comprises a trusted Internet address of at least one of: a source of an Internet communication received by the entity; and a destination of an Internet communication sent by the entity; and after compiling the Internet-address history for the entity: detecting a suspicious Internet address that may be used in future Internet communications involving the entity; determining that a likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above a predetermined threshold; and performing a security action in response to determining that the likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above the predetermined threshold. 2. The computer-implemented method of claim 1 , wherein determining that the likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above the predetermined threshold comprises determining that the suspicious Internet address and the Internet-address differ by only a predetermined number of characters. 3. The computer-implemented method of claim 1 , wherein determining that the likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above the predetermined threshold comprises determining that the suspicious Internet address and the Internet-address differ by only a predetermined number of visually similar characters. 4. The computer-implemented method of claim 1 , wherein determining that the likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above the predetermined threshold comprises determining that the suspicious Internet address and the Internet-address differ by only characters that are confused for each other at greater than a predetermined rate. 5. The computer-implemented method of claim 1 , wherein determining that the likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above the predetermined threshold comprises determining that a difference between the suspicious Internet address and the Internet-address is attributable to a substitution of one syllable for a phonetically similar syllable. 6. The computer-implemented method of claim 1 , wherein determining that the likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above the predetermined threshold comprises determining that an optical character recognition system mistakes the suspicious Internet address for the trusted Internet address. 7. The computer-implemented method of claim 1 , wherein: detecting the suspicious Internet address comprises detecting the suspicious Internet address in an inbound Internet communication of the entity; performing the security action comprises at least one of: blocking the inbound Internet communication; informing the entity that the suspicious Internet address in the inbound Internet communication is suspicious. 8. The computer-implemented method of claim 1 , wherein: detecting the suspicious Internet address comprises detecting an outbound Internet communication that is transmitted by the entity to the suspicious Internet address; performing the security action comprises at least one of: blocking the outbound Internet communication; informing the entity that the suspicious Internet address is suspicious. 9. The computer-implemented method of claim 1 , wherein: detecting the suspicious Internet address comprises detecting an attempt by the entity to use the suspicious Internet address; performing the security action comprises at least one of: blocking the attempt by the entity to use the suspicious Internet address; informing the entity that the suspicious Internet address is suspicious. 10. The computer-implemented method of claim 1 , wherein the suspicious Internet address and the trusted Internet address are email addresses. 11. The computer-implemented method of claim 1 , wherein the suspicious Internet address and the trusted Internet address are domain names. 12. The computer-implemented method of claim 1 , wherein the suspicious Internet address and the trusted Internet address are uniform resource locators. 13. A system for detecting suspicious Internet addresses, the system comprising: memory comprising: a monitoring module, stored in the memory, that monitors Internet communications of an entity; a compiling module, stored in the memory, that compiles an Internet-address history for the entity that comprises a trusted Internet address of at least one of: a source of an Internet communication received by the entity; and a destination of an Internet communication sent by the entity; a detecting module, stored in the memory, that detects, after the Internet-address history for the entity is compiled, a suspicious Internet address that may be used in future Internet communications involving the entity; a determining module, stored in the memory, that determines that a likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above a predetermined threshold; and a security module, stored in the memory, that performs a security action in response to the determination that the likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above the predetermined threshold; and at least one physical processor that executes the monitoring module, the compiling module, the detecting module, the determining module, and the security module. 14. The system of claim 13 , wherein the determining module determines that the likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above the predetermined threshold by determining that the suspicious Internet address and the Internet-address differ by only a predetermined number of characters. 15. The system of claim 13 , wherein the determining module determines that the likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above the predetermined threshold by determining that the suspicious Internet address and the Internet-address differ by only a predetermined number of visually similar characters. 16. The system of claim 13 , wherein the determining module determines that the likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above the predetermined threshold by determining that the suspicious Internet address and the Internet-address differ by only characters that are confused for each other at greater than a predetermined rate. 17. The system of claim 13 , wherein the determining module determines that the likelihood that a user would mistake the suspicious Internet address for the trusted Internet address is above the predetermined threshold by determining that a difference between the suspicious Internet address and the Internet-address is attributable to a substitution of one syllable for a phonetically similar syllable. 18. The system of claim 13 , wherein the determining module determines that the likelihood that a user would mistake

Assignees

Symantec Corp

Inventors

Ashley Peter

Classifications

H04L63/1433Primary
Vulnerability analysis · CPC title
H04L63/1441
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
H04L63/1408Primary
by monitoring network traffic (monitoring network traffic per se H04L43/00) · CPC title
H04L63/168
above the transport layer · CPC title

Patent family

Related publications grouped by family.

View patent family 55807661

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9736178B1 cover?: The disclosed computer-implemented method for detecting suspicious Internet addresses may include (1) monitoring Internet communications of an entity (e.g., an organization or individual), (2) compiling an Internet-address history for the entity that includes one or more Internet addresses involved in the Internet communications of the entity, (3) detecting, after compiling the Internet-address…
Who is the assignee on this patent?: Symantec Corp
What technology area does this patent fall under?: Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Aug 15 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).