Systems and methods for intelligent phishing threat detection and phishing threat remediation in a cyber security threat detection and mitigation platform
US-2024414198-A1 · Dec 12, 2024 · US
Detection of lockstep behavior
US9825985B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9825985-B2 |
| Application number | US-201514727627-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 1, 2015 |
| Priority date | Mar 6, 2013 |
| Publication date | Nov 21, 2017 |
| Grant date | Nov 21, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed here are methods, systems, paradigms and structures for determining fraudulent content in a social network. The methods include identifying a plurality of users of the social network who perform a plurality of tasks within the social network in a lockstep manner. In the method, the plurality of users are determined to be performing a given task in the lockstep manner when the plurality of users each perform the given task within a predefined duration of time, where the predefined duration of time is associated with the given task. The method further includes identifying content data generated by the performance of the plurality of tasks by each of the plurality of users. The method further includes determining at least a portion of the content data generated by the performance of the plurality of tasks as fraudulent content.
First claim
Opening claim text (preview).
What is claimed is: 1. A method of identifying a group of suspicious users of a social network who produce fraudulent web contents in the social network, the method comprising: selecting an initial group of users from an overall group of users of the social network and an initial set of web contents from an overall set of web contents in the social network, wherein each user of the initial group of users is associated with at least one of the initial set of web contents, and wherein each web content of the initial set of web contents is associated with at least one of the initial group of users, wherein each web content of the overall set of web contents has a timeframe of a specific length for the corresponding web content; setting a current group of users to be the initial group of users and a current set of web contents to be the initial set of web contents; setting a current cluster to be a combination of the current group of users and the current set of web contents; updating iteratively the current cluster to increase a number of multiple associations in the current cluster, each of the multiple associations satisfying a specific criterion and having a time value falling in the timeframe for a web content of the corresponding association, until the current cluster comprising the current group of users and the current set of web contents does not change from a previous iteration; determining whether a condition is satisfied, the condition being a size of the current group of users exceeds a first specified value and a size of the current set of web contents exceeds a second specified value, wherein the first and second specified values are positive integers; and in an event the condition is satisfied: identifying the current group of users as the group of suspicious users, and removing the current set of web contents from the social network. 2. The method of claim 1 , wherein through the multiple associations that satisfy the specific criterion, each user of the current group of users is associated with each web content of a subset of the current set of web contents, wherein a size of the subset is a product of the second specified value and a third specified value, and wherein the third specified value is a fraction. 3. The method of claim 1 , the updating comprising: adjusting the current group of users for the current set of web contents to increase the number of the multiple associations in the current cluster; and after any adjustment of the current group of users, adjusting the current set of web contents for the current group of users to increase the number of the multiple associations in the current cluster. 4. The method of claim 3 , wherein adjusting the current group of users comprises: for each web content of the current set of web contents, computing an aggregate of a set of time values of a set of associations associated with the corresponding web content; for each web content of the current set of web contents, updating a timeframe for the corresponding web content based on the aggregate to generate a set of timeframes; and adding a first set of users from the overall group of users to the current group of users or removing a second set of users from the current group of users to increase the number of the multiple associations in the current cluster based on the set of time values and the set of time frames. 5. The method of claim 1 , wherein each association of the multiple associations between a specified user of the current group of users and a specified web content of the current set of web contents indicates an acknowledgment by the specified user of the specified web content; and wherein the time value of the corresponding association indicates a time at which the specified user indicated the acknowledgement of the specified web content. 6. The method of claim 1 , the selecting comprising: including in the initial group of users a random subgroup of the overall group of users; including in the initial set of web contents a random subset of the overall set of web contents; removing from the initial group of users every user that is not associated with any of the initial set of web contents; and removing from the initial set of web contents every web content that is not associated with any of the initial group of users. 7. The method of claim 1 , further comprising: if the condition is satisfied, reporting that the current set of web contents is fraudulent; and if the condition is not satisfied, reporting that no fraudulent web contents have been found. 8. A system for identifying a group of suspicious users of a social network who produce fraudulent web contents in the social network, comprising: at least one memory storing computer-executable instructions; at least one processor; and a lockstep detection engine configured to: set a current group of users to be a subgroup of an overall group of users of the social network and a current set of web contents to be a subset of an overall web contents in the social network, wherein each user of the current group of users is related to at least one of the current set of web contents, wherein each web content of the current set of web contents is related to at least one of the current group of users, and wherein each web content of the overall set of web contents has a timeframe of a specific length for the corresponding web content; set a current cluster to be a combination of the current group of users and the current set of web contents; iteratively update the current cluster to increase a number of multiple relations in the current cluster, each of the multiple relations satisfying a specific criterion and having a time value falling in the timeframe for a web content of the corresponding relation, until the current cluster comprising the current group of users and the current set of web contents does not change from a previous iteration; determine whether a condition is satisfied, the condition being a size of the current group of users exceeds a first specified value and a size of the current set of web contents exceeds a second specified value, wherein the first and second specified values are positive integers; and in an event the condition is satisfied: identify the current group of users as the group of suspicious users, and remove the current set of web contents from the social network. 9. The system of claim 8 , wherein through the multiple relations that satisfy the specific criterion, each user of the current group of users is related to each web content of a subset of the current set of web contents wherein a size of the subset is a product of the second specified value and a third specified value, and wherein the third specified value is a fraction. 10. The system of claim 8 , wherein the lockstep detection engine is configured to: adjust the current group of users for the current set of web contents to increase the number of the multiple relations in the current cluster; and adjust, after any adjustment of the current group of users, the current set of web contents for the current group of users to increase the number of the multiple relations in the current cluster. 11. The system of claim 10 , wherein the lockstep detection engine is configured to: compute, for each web content of the current set of web contents, an aggregate of a set of time values of a set of relations related to the corresponding web content; update, for each web content of the current set of web contents, a timeframe for the corresponding web content based on the aggregate to generate a set of timeframes; and add a first set of users from the overall group of user
Assignees
Inventors
Classifications
- G06F21/55Primary
Detecting local intrusion or implementing counter-measures · CPC title
Event detection, e.g. attack signature detection · CPC title
Arrangements for multi-party communication, e.g. for conferences (data switching systems for conference H04L12/18; arrangements for connecting several subscribers to a common circuit, i.e. affording conference facilities H04M3/56; television conferencing systems H04N7/15) · CPC title
- H04L63/1441Primary
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9825985B2 cover?
- Disclosed here are methods, systems, paradigms and structures for determining fraudulent content in a social network. The methods include identifying a plurality of users of the social network who perform a plurality of tasks within the social network in a lockstep manner. In the method, the plurality of users are determined to be performing a given task in the lockstep manner when the pluralit…
- Who is the assignee on this patent?
- Facebook Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/55. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Nov 21 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).