Clustering data based on indications of financial malfeasance
US-9230280-B1 · Jan 5, 2016 · US
System and method for identifying forged emails
US9740858B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9740858-B1 |
| Application number | US-201514798852-A |
| Country | US |
| Kind code | B1 |
| Filing date | Jul 14, 2015 |
| Priority date | Jul 14, 2015 |
| Publication date | Aug 22, 2017 |
| Grant date | Aug 22, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Forged emails are detected by extracting email address parts of a sender email address. The email address parts include an account name, a subdomain, and a base domain of the sender email address. The mutation ratio of the email address parts relative to reference strings are calculated to determine similarity of the email address parts to the reference strings. The mutation ratios are compared to ratio thresholds to identify suspicious email addresses, and the results of identifying suspicious email addresses are correlated with other computer security information to identify forged emails.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of detecting forged emails, the method comprising: receiving a sender email in a first computer, the sender email being addressed to a user of a private computer network; extracting a plurality of email address parts from a sender email address of the sender email; determining a first mutation ratio of a first email address part of the sender email address relative to a first reference string, the first mutation ratio being a measure of a degree of similarity of the first email address part to the first reference string; comparing the first mutation ratio to a first ratio threshold; when the first mutation ratio indicates that the first email address part is not identical to the first reference string and the first mutation ratio is above the first ratio threshold, identifying the sender email address as a suspicious email address based on a result of comparing the first mutation ratio to the first ratio threshold; when the first mutation ratio indicates that the first email address part is not identical to the first reference string and the first mutation ratio is below the first ratio threshold, identifying the sender email as a normal email that is allowed into the private computer network, and after deeming the sender email address to be the suspicious email address, consulting a first computer security server to obtain a computer security information that identifies the sender email as a forged email. 2. The method of claim 1 , further comprising: determining a second mutation ratio of a second email address part of the sender email address relative to a second reference string, the second mutation ratio being a measure of degree of similarity of the second email address part to the second reference string; comparing the second mutation ratio to a second ratio threshold; and identifying the sender email address as the suspicious email address based on a result of comparing the second mutation ratio to the second ratio threshold. 3. The method of claim 2 , wherein the first email address part comprises an account name of the sender email address and the second email address part comprises a base domain of the sender email address. 4. The method of claim 3 , further comprising: determining a third mutation ratio of a third email address part of the sender email address relative to a third reference string, the third mutation ratio being a measure of degree of similarity of the third email address part to the third reference string; comparing the third mutation ratio to a third ratio threshold; and identifying the sender email address as the suspicious email address based on a result of comparing the third mutation ratio to the third ratio threshold. 5. The method of claim 4 , wherein the third email address part comprises a subdomain of the sender email address. 6. The method of claim 1 , wherein the first email address part comprises an account name of the sender email address and the first computer security server hosts a honeypot that includes another email with a same content as the sender email. 7. The method of claim 1 , wherein the first computer is a mail transfer agent (MTA) of the private computer network. 8. A system comprising: a storage device comprising a log of emails of a private computer network; a first server computer that serves as a mail transfer agent of the private computer network, retrieves from the log of emails a sender email address of a sender email, extracts a first email address part from the sender email address, determines a first mutation ratio of the first email address part relative to a first reference string to determine a degree of similarity of the first email address part to the first reference string, compares the first mutation ratio to a first ratio threshold, identifies the sender email address as a suspicious email address based on a result of comparing the first mutation ratio to the first ratio threshold when the first mutation ratio indicates that the first email address part is not identical to the first reference string and the first mutation ratio is above the first ratio threshold, identifies the sender email as a normal email that is allowed into the private computer network when the first mutation ratio indicates that the first email address part is not identical to the first reference string and the first mutation ratio is below the first ratio threshold, and consults a second server computer to obtain a computer security information that identifies the sender email as a forged email after identifying the sender email address as the suspicious email address; and the second server computer in communication with the first server computer to correlate identification of the sender email address as the suspicious email address with another computer security information to identify the sender email as the forged email. 9. The system of claim 8 , wherein the second server computer comprises a honeypot that includes another email with a same content as the sender email. 10. The system of claim 8 , wherein the first email address part comprises an account name of the sender email address. 11. The system of claim 8 , wherein the first email address part comprises a base domain of the sender email address. 12. The system of claim 8 , wherein the first email address part comprises a subdomain of the sender email address. 13. The system of claim 8 , wherein the first server computer extracts a second email address part from the sender email address, determines a second mutation ratio of the second email address part relative to a second reference string to determine a degree of similarity of the second email address part to the second reference string, compares the second mutation ratio to a second ratio threshold, and identifies the sender email address as the suspicious email address based on a result of comparing the second mutation ratio to the second ratio threshold. 14. The system of claim 13 , wherein the first email address part comprises an account name of the sender email address and the second email address part comprises a base domain of the sender email address. 15. A non-transitory computer-readable medium comprising instructions stored thereon, that when executed by a processor, perform the steps of: parsing a sender email address of a sender email to identify a first email address part of the sender email address; determining a first mutation ratio of the first email address part of the sender email address relative to a first reference string, the first mutation ratio being a measure of a degree of similarity of the first email address part to the first reference string; comparing the first mutation ratio to a first ratio threshold to determine if the sender email address is a forged email address; when the first mutation ratio is above the first ratio threshold and the first email address part is not identical to the first reference string, identifying the sender email address as the forged email address; when the first mutation ratio is below the first ratio threshold and the first email address part is not identical to the first reference string, identifying the sender email as a normal email that is allowed into a computer network; and consulting a first computer security server to obtain a computer security information that identifies the sender email as a forged email. 16. The non-transitory computer-readable medium of claim 15 , wherein the first email address part comprises a base domain of the sender email address. 17. The non-transitory computer-readable me
Assignees
Inventors
Classifications
Message addressing, e.g. address format or anonymous messages, aliases · CPC title
using filtering or selective blocking · CPC title
by source code analysis · CPC title
- G06F21/552Primary
involving long-term monitoring or reporting · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9740858B1 cover?
- Forged emails are detected by extracting email address parts of a sender email address. The email address parts include an account name, a subdomain, and a base domain of the sender email address. The mutation ratio of the email address parts relative to reference strings are calculated to determine similarity of the email address parts to the reference strings. The mutation ratios are compared…
- Who is the assignee on this patent?
- Trend Micro Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/552. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Aug 22 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).