Traitement en cours

Veuillez attendre...

Paramétrages

Paramétrages

Aller à Demande

1. WO2020110109 - PROCÉDÉS ET SYSTÈMES DE PROTECTION CONTRE L’HAMEÇONNAGE

Note: Texte fondé sur des processus automatiques de reconnaissance optique de caractères. Seule la version PDF a une valeur juridique

[ EN ]

CLAIMS

1. A method of phishing detection, implemented by a computer system having a processor and a memory comprising instructions that when executed on the processor perform the method, comprising:

acquiring a set of legitimate web content from one or more webpages of each legitimate top-level domain (TLD) of a set of legitimate TLDs;

generating from each set of legitimate web content a set of legitimate browser images; determining from each set of legitimate browser images a group of legitimate visual characteristics;

receiving unauthenticated web content addressed to a content recipient;

generating from the unauthenticated web content a new browser image;

identifying a similarity between an unauthenticated web content visual characteristic in the new browser image and at least one legitimate visual characteristic from the groups of legitimate visual characteristics, and determining that the TLD of the unauthenticated web content is not the TLD of the legitimate visual characteristic; and

responsively recording the unauthenticated web content as a phishing attack.

2. The method of claim 1, wherein recording the unauthenticated web content as a phishing attack comprises one or more of sending a modification of the unauthenticated web content to the content recipient, transmitting a warning message, and adding an entry with a TLD of the unauthenticated web content to a phishing blacklist database.

3. The method of claim 1, wherein identifying the similarity further comprises determining that an unauthenticated web content visual characteristic is not identical to a legitimate visual characteristic but has a statistical similarity to a visual characteristic of a known phishing attack.

4. The method of claim 1, wherein determining the group of legitimate visual characteristics comprises generating a similarity model, and wherein generating the similarity model comprises:

receiving phishing content from phishing website URLs and phishing kits;

generating from the phishing content a respective set of phishing browser images; and performing a manual review by a human operator to segment and classify the set of phishing browser images.

5. The method of claim 1, wherein determining the group of legitimate visual characteristics comprises generating a similarity model, and wherein generating the similarity model comprises:

receiving phishing content from phishing website URLs and phishing kits;

generating from the phishing content a respective set of phishing browser images;

segmenting and classifying the set of phishing browser images by an automated algorithm; and

generating the similarity model as a machine learning model from the set of legitimate browser images and from the segmented and classified set of phishing browser images.

6. The method of claim 5, wherein the machine learning model is a neural network (NN) model.

7. The method of claim 5, wherein recording the phishing attack further comprises adding the unauthenticated web content to the phishing content and re-generating the machine learning model.

8. The method of claim 5, wherein the instructions further include receiving additional unauthenticated web content, determining that the additional unauthenticated web content is not similar to a phishing attack, and has a TLD not included in the plurality of TLDs, and responsively adding the unauthenticated web content to the set of legitimate web content and re-generating the machine learning model.

9. The method of claim 1, wherein recording the unauthenticated web content as a phishing attack comprises determining that the unauthenticated web content includes interactive fields configured to receive user information.

10. The method of claim 1, further comprising recording the unauthenticated web content only after determining that graphics of the unauthenticated web content are in a graphics blacklist.

11. The method of claim 1, wherein receiving the unauthenticated web content comprises receiving a communication that is one of a text message, an email, or an in-app notice, at a server configured to provide a user device with access to the communication.

12. The method of claim 1, wherein receiving the unauthenticated web content comprises receiving, at a messaging client on a user device, a communication that is one of a text message, an email, or an in-app notice.

13. The method of claim 1, wherein receiving the unauthenticated web content comprises receiving web page content by simulating a user interaction on previously received unauthenticated web content.

14. The method of claim 13, wherein simulating a user interaction on previously received unauthenticated web content comprises simulating a mouse movement, a mouse click or a keystroke to access a link to the unauthenticated web content.

15. The method of claim 1, wherein generating the legitimate browser images and the new browser image comprises processing the respective legitimate and unauthenticated web content with an HTML5 -compatible background browser and storing respective outputs of the HTML5-compatible background browser to the memory of the computer system, wherein

the background browser creates an image identical to a browser configured to display HTML5 content on an interactive screen.

16. The method of claim 1, wherein each browser image is a bit-map image.

17. The method of claim 1, further comprising: receiving second unauthenticated web content, determining that a URL of the second unauthenticated web content is on a URL blacklist, and responsively recording the second unauthenticated web content as a phishing attack.

18. The method of claim 1, wherein the unauthenticated web content includes an interactive component including one of a button, dialog box or animation, wherein the interactive component links to an unauthenticated URL, wherein the unauthenticated URL includes second unauthenticated web content, and further comprising converting the second unauthenticated web content to a subsequent browser image.

19. The method of claim 18, further comprising recording the phishing attack only after determining a proximity in the new browser image of the interactive component to text requesting user identification.

20. The method of claim 18, further comprising recording the phishing attack only after determining that the subsequent browser image has no similarity to an image of the set of legitimate browser images and the second unauthenticated web content includes at least one of a reference to a monitored brand and to an interactive field configured to receive user information.

21. The method of claim 20, wherein the reference to the monitored brand is a brand logo image.

22. The method of claim 1, further comprising: receiving second unauthenticated web content; converting the second unauthenticated web content to a second browser image; determining that 1) the second browser image has no similarity to an image of the set of legitimate browser images, that 2) the second webpage includes no links to additional URLs, and that 3) the second webpage includes neither a reference to a monitored brand nor an interactive field configured to receive user information; and responsively generating a safe link notice.

23. The method of claim 1, further comprising receiving the unauthenticated web content from a message server, receiving from the message server additional content, determining from the additional content a characteristic of content familiar to a content recipient, generating test phishing content that includes the characteristic of familiar content, and delivering the test phishing content as a message to the content recipient.

24. A method of phishing detection, implemented by a computer system having a processor and a memory comprising instructions that when executed on the processor perform the method, comprising:

receiving phishing content from phishing website URLs and phishing kits;

generating from the phishing content a respective set of phishing browser images;

determining from each set of phishing browser images a group of phishing visual characteristics;

receiving unauthenticated web content addressed to a content recipient;

generating from the unauthenticated web content a new browser image;

identifying a similarity between an unauthenticated web content visual characteristic in the new browser image and at least one phishing visual characteristic from the groups of phishing visual characteristics; and

responsively recording that the unauthenticated web content is a phishing attack.

25. The method of claim 24, wherein determining from each set of phishing browser images a group of phishing visual characteristics comprises segmenting and classifying the set of phishing browser images.

26. The method of claim 24, wherein the phishing visual characteristic is a reference to a monitored brand.

27. The method of claim 24, wherein the phishing visual characteristic is an interactive field configured to receive user information.

28. A system of phishing detection, comprising a computer system having a processor and a memory comprising instructions that, when executed on the processor, perform steps comprising:

acquiring a set of legitimate web content from each of one or more webpages of legitimate TLDs;

generating from each set of legitimate web content a set of legitimate browser images; determining from each set of legitimate browser images a group of legitimate visual characteristics;

receiving unauthenticated web content addressed to a content recipient;

generating from the unauthenticated web content a new browser image;

identifying a similarity between an unauthenticated web content visual characteristic in the new browser image and at least one legitimate visual characteristic from the groups of legitimate visual characteristics, and determining that the TLD of the unauthenticated web content is not the TLD of the legitimate visual characteristic; and

responsively recording that the unauthenticated web content is a phishing attack.