Patent Grant
7624110
This description relates in general to information handling systems, and in particular to a method, system, and computer program product for security within a global computer network. In a global computer network, a user may be deceived into relying on a resource that is misrepresented as a trusted resource. Such deception causes various problems, including potential damage to goodwill of the trusted resources.
In a first embodiment, an information handling system determines whether a resource is likely misrepresented as a trusted resource within a global computer network. In a second embodiment, the information handling system outputs an indication of whether a resource within a global computer network is recognized as a known trusted resource.
A principal advantage of these embodiments is that deception is less likely.
a is an illustration of a 3rd screen displayed by a display device of a customer of
b is an illustration of a 4th screen displayed by a display device of a customer of
Each of e-commerce providers 102 and 104, individual customers 106 and 108, entity customers 110 and 112, spoof servers 114 and 116, and security provider 120 includes a respective network interface for communicating with network 118 (e.g., outputting information to, and receiving information from, network 118), such as by transferring information (e.g., instructions, data, signals) between such e-commerce provider, individual customer, entity customer, spoof server and network 118. Also, each of e-commerce providers 102 and 104, individual customers 106 and 108, entity customers 110 and 112, spoof servers 114 and 116, network 118, and security provider 120 is a computing system that includes at least one respective information handling system (“IHS”) (e.g., computer) for executing respective processes and performing respective operations (e.g., processing and communicating information) in response thereto as discussed further hereinbelow. Each such computing system and IHS is formed by various electronic circuitry means. Moreover, as shown in
For clarity,
In system 100, any one or more of the e-commerce providers, customers, and/or security provider is equipped to determine whether a resource (e.g., a source or destination of information) is likely misrepresented as a trusted resource within the network 118, so that a user thereof is less likely to be deceived into relying on the misrepresented resource. For example, such deception may occur if a user selects (e.g., “clicks”) on an embedded hyperlink to a web page, under a mistaken belief that the hyperlink will direct the user to a trusted web page, where instead the hyperlink actually directs the user to a misrepresented web page whose objective is to illegally, immorally or unethically deceive the user. Such a link is presentable (e.g., displayable) to the user in an electronic message (e.g., an electronic mail (“e-mail”) message or an instant “chat” message). Moreover, a source (e.g., e-mail address) of such electronic message may likewise be misrepresented as a trusted resource.
A misrepresented web page may include features that simulate or mimic features of a trusted web page (e.g., by including the trusted web page's service mark, trademark, logo, layout and/or other elements). Such misrepresentation is a security risk. For example, the misrepresented web page may deceive a user into sharing confidential information (e.g., personal identification number (“PIN”) or other password), sensitive information (e.g., social security number or other user identification), or financial information (e.g., credit card account information or bank account information), which compromises security. Such deception is a type of web page “spoofing.”
After a user is deceived into visiting a misrepresented web page (e.g., “spoof web page”), the user is potentially subject to various types of attacks. In one example, the misrepresented web page displays an information entry field, which is embedded in the misrepresented web page, and which asks the user to enter confidential, sensitive, or financial information. In response to such request, if the user enters and transmits such information via the information entry field (e.g., by clicking a button labeled “submit”), the information is output to the misrepresented resource, and security is compromised.
In another example, an electronic message includes (e.g., is embedded with) a mark-up language command (e.g., HyperText mark up language (“HTML”) command or Extensible Markup Language (“XML”) command). Similar to a misrepresented web page, an electronic message may be misrepresented as originating from a trusted source (e.g., eBay, Microsoft). After a user receives and opens the electronic message, the user is potentially subject to various types of attacks. In one example, the electronic message displays an information entry field, which is embedded in the electronic message, and which asks the user to enter confidential, sensitive, or financial information. In response to such request, if the user enters and transmits such information via the information entry field (e.g., by clicking a button labeled “submit”), the information is output to the misrepresented resource, and security is compromised.
As shown in
For example, computer 204 includes (a) a network interface (e.g., circuitry) for communicating between computer 204 and network 112 and (b) a memory device (e.g., random access memory (“RAM”) device and read only memory (“ROM”) device) for storing information (e.g., instructions executed by computer 204 and data operated upon by computer 204 in response to such instructions). Accordingly, computer 204 is connected to network 112, input devices 206, display device 208, print device 210, storage device 211, and computer-readable medium 212, as shown in
For example, in response to signals from computer 204, display device 208 displays visual images, and user 202 views such visual images. Moreover, user 202 operates input devices 206 in order to output information to computer 204, and computer 204 receives such information from input devices 206. Also, in response to signals from computer 204, print device 210 prints visual images on paper, and user 202 views such visual images.
Input devices 206 include, for example, a conventional electronic keyboard and a pointing device such as a conventional electronic “mouse”, rollerball or light pen. User 202 operates the keyboard to output alphanumeric text information to computer 204, and computer 204 receives such alphanumeric text information from the keyboard. User 202 operates the pointing device to output cursor-control information to computer 204, and computer 204 receives such cursor-control information from the pointing device.
Within database 304, e-commerce provider administrator 302 stores results of various analyses performed by and received from security provider administrator 402 (discussed further hereinbelow in connection with
Moreover, as shown in
Also as shown in
Moreover, security provider 120 includes a web-crawler 404, which is a computing system for executing a web-crawling process as discussed hereinbelow. Web-crawler 404 is coupled to security provider administrator 402 via a connection for communicating with security provider administrator 402. Also, as shown in
From security provider administrator 402, web-crawler 404 receives an Internet address associated with a web page from which to begin a search operation. Web-crawler 404 automatically retrieves a web page from such Internet address and searches the web page for other Internet addresses that are listed therein. Web-crawler 404 automatically retrieves the web pages associated with such other Internet addresses and likewise continues searching those web pages for other Internet addresses that are listed therein. Web-crawler 404 continues operating in this manner until it determines that a halting condition has occurred. For example, the halting condition includes a specified one or more of the following: reaching a maximum word limit, or reaching a maximum document limit. To security provider administrator 402, web crawler 404 outputs the Internet addresses that it identifies during the process.
Mistrusted web pages database 506 and trusted web pages database 508 are stored within a hard disk of security provider administrator 402. Within mistrusted web pages database 506 and trusted web pages database 508, security provider administrator 402 stores records of operations performed by security provider administrator 120, including records of analyses performed by analysis process 502. Mistrusted web pages database 506 includes a list of Internet addresses that are associated with respective web pages (e.g., “spoof web pages”) known to be misrepresented as trusted web pages. Conversely, organization of trusted web pages database 508 includes a list of Internet addresses that are associated with respective web pages known to be trusted.
In the illustrative embodiment, a human system manager (e.g., human system manager 406) initially populates trusted web pages database 508. In an alternative embodiment, a computing system (e.g., security provider administrator 402) executes a process (e.g., a “spider”) to initially populate trusted web pages database 508. In such an alternative embodiment, the computing system automatically retrieves various web pages, and it stores (in trusted web pages database 508) the Internet address of web pages that satisfy predetermined criteria indicating that such web pages are trusted.
Analysis process 502 analyzes information received by security provider administrator 120 from web-crawler 404 and from network 118. Also, analysis process 502 outputs suitable information to update/notification process 504.
Update/notification process 504 performs other operations of security provider administrator 120, including communication of information (a) between human system manager 406 and network 118 and (b) via network 118, to customers (e.g., customers 106 and 110) and e-commerce providers (e.g., e-commerce provider 102) regarding analyses of electronic messages and web pages retrieved from network 118.
As shown in
Operating system 702 is a Microsoft Windows operating system or, alternatively, any other suitable operating system software, which performs conventional operating system operations. Operating system 702 communicates between web browser 704 and various elements of client 602.
Web browser 704 is a Microsoft Internet Explorer browser or, alternatively, any other suitable web browser software, which performs conventional web browser operations. Web browser 704 outputs information to analysis process 710 directly, and indirectly via update process 712. Also, web browser 704 receives information from analysis process 710 via user notification/report process 714.
Human users 810, 812, and 814 are respective users of clients 804, 806, and 808, similar to the manner in which computing system 200 operates in association with user 202. Further, entity customer 110 includes an entity customer administrator 802, which is a computing system for executing entity customer administrator processes as discussed elsewhere herein. Human system manager 816 is a user of entity customer administrator 802.
Moreover, entity customer administrator 802 includes a network interface for communicating with network 118. As shown in
In the discussion hereinbelow, client 804 is a representative one of clients 804, 806, and 808. Although
Screen 900 includes a set of information entry fields (“fields”) indicated generally at 902. As shown in
Screen 900 includes a Sign Up “button” 904, which is a region of screen 900. Button 904 is selectable (e.g., “clickable”) by the client's user and is associated with an Internet address of a spoof server (e.g., spoof server 114). In response to the client's user clicking button 904, the client's computer outputs information (specified in fields 902 by the client's user) to such addressed spoof server (e.g., spoof server 114) through network 118, and security is compromised.
Screen 900 is an example screen of a web page resource that is misrepresented by its content (e.g., information entry fields 902) as a trusted web page resource. In another example, a web page resource is misrepresented by an address in a different web page or in an electronic message (e.g., Internet hyperlink embedded in the different web page or in the electronic message), where the address's wording appears linked to a trusted web page resource, but instead the address is actually linked to a misrepresented web page resource.
In
In response to the client's user “clicking” address 1004, (a) the client's computer outputs such address to network 118, (b) the address's linked spoof server outputs signals (e.g., HTML commands or XML commands) to the client's computer, and (c) the client's display device displays a screen (e.g., screen 900) of a spoof web page.
a and 11b are illustrations of a screen generally indicated at 1100, displayed by the client's display device. Screen 1100 shows an electronic message, which includes content that misrepresents a web page resource as a trusted web page resource.
For example, screen 1100 includes information entry fields 1104. Similar to fields 902 of screen 900 (described hereinabove in connection with
In screen 1100, the web page resource is misrepresented by: (a) a source address 1102 (e.g., return message address, such as “aw-confirm@ebay.com”) in the header of the electronic message, where the address's wording appears linked to a trusted electronic message resource, but instead the address is actually linked to a misrepresented electronic message resource associated with a spoof server (e.g., spoof server 114) that is not approved by eBay.com; and/or (b) wording and layout of the information entry fields 1104 in the body of the electronic message, where such wording and layout appear linked to a trusted web page resource, but instead the information entry fields 1104 are actually linked to a misrepresented web page resource that is not approved by eBay.com.
Screen 1100 includes a Submit button 1106, which is a region of screen 1100. Similar to button 904 (discussed hereinabove in connection with
In the illustrative embodiment, e-commerce provider administrator 302 receives such an electronic message in response to a customer (e.g., individual customer 106 or entity customer 110) outputting the electronic message to e-commerce provider 102. Such an electronic message is output by such a customer in response to the customer's receiving the electronic message through network 118 and suspecting that the electronic message misrepresents a resource as a trusted resource (e.g., a web page).
At step 1502, if e-commerce provider administrator 302 determines that it has received an electronic message for analysis, the operation continues to a step 1504. At step 1504, e-commerce provider administrator 302 outputs the electronic message to security provider 120 through network 118 for analysis. After step 1504, the operation returns to step 1502.
Conversely, if e-commerce provider administrator 302 determines at step 1502 that it has not received an electronic message for analysis, the operation continues to a step 1506, where e-commerce provider administrator 302 determines whether it has received an Internet address for requested analysis (e.g., from individual customers or entity customers via network 118). E-commerce provider administrator 302 receives such an Internet address in response to a customer (e.g., individual customer 106 or entity customer 110) outputting the Internet address to e-commerce provider 102. Such an Internet address is output by such a customer in response to the customer's suspecting that the Internet address misrepresents a web page resource as a trusted web page resource.
At step 1506, if e-commerce provider administrator 302 determines that it has received an Internet address for analysis, the operation continues to a step 1508. At step 1508, e-commerce provider administrator 302 outputs the Internet address to security provider 120 through network 118 for analysis. After step 1508, the operation returns to step 1502. Conversely, if e-commerce provider administrator 302 determines at step 1506 that it has not received an Internet address for analysis, the operation returns to step 1502.
At step 1604, e-commerce provider administrator 302 outputs the analysis to an individual customer or an entity customer through network 118 (e.g., the individual customer or entity customer from which e-commerce provider administrator 302 received the request for analysis). After step 1604, the operation continues to a step 1606, where e-commerce provider administrator 302 stores the analysis in its local database 304. After step 1606, the operation returns to step 1602.
At step 1602, if e-commerce provider administrator 302 determines that it has not received an analysis from security provider 120 through network 118, the operation continues to a step 1608. At step 1608, e-commerce provider administrator 302 determines whether it has received a request to display an analysis that is stored in database 304.
In response to e-commerce provider administrator 302 determining that such a request has been received, the operation continues to a step 1610. At step 1610, e-commerce provider administrator 302 reads the analysis from database 304. After step 1610, the operation continues to a step 1612, where e-commerce provider administrator 302 outputs the analysis to its display device for display to human security analyst 306 (e.g., which views the displayed analysis, such as screen 1300 of
After step 1616, the operation continues to step 1612, where e-commerce provider administrator 302 outputs the analysis to its display device for display to human security analyst 306 (e.g., which views the displayed analysis, such as screen 1300 of
As shown in
In the example of
At step 1704, security provider administrator 402 parses the electronic message's content for an Internet address (e.g., an Internet address associated with link 1004 of screen 1000). Moreover, at step 1704, security provider administrator 402 performs an analysis of the electronic message to determine whether the electronic message likely misrepresents the Internet address as representing a trusted web page. Security provider administrator 402 performs such analysis by analyzing the electronic message's content and header. In analyzing the electronic message's content, security provider administrator 402 detects an extent to which the content implements specified techniques for deceiving a user. In analyzing the electronic message's header, security provider administrator 402 detects an extent to which the header implements specified techniques for misrepresenting or concealing an actual source (e.g., source address) of the electronic message. After step 1704, the operation continues to a step 1708. In an alternative embodiment: (a) if security provider administrator 402 determines that the electronic message likely misrepresents the Internet address, the operation continues to step 1708; or (b) instead, if security provider administrator 402 determines otherwise, the operation returns to step 1702.
Referring again to step 1702, if security provider administrator 402 determines that it has not received an electronic message for requested analysis, the operation continues to a step 1706. At step 1706, security provider administrator 402 determines whether it has received an Internet address for requested analysis (e.g., from an e-commerce provider, an individual customer, or an entity customer via network 118, or from web-crawler 404). If not, the operation returns to step 1702. Conversely, if security provider administrator 402 determines that it has received an Internet address for requested analysis, the operation continues to step 1708.
At step 1708, security provider administrator 402 determines whether the Internet address is stored in trusted web pages database 508. If so, such determination indicates that the Internet address represents a trusted web page (and not a spoof web page). In that situation, the operation continues to a step 1710, where security provider administrator 402 outputs (to update/notification process 504) an analysis indicating that the Internet address represents a trusted web page. After step 1710, the operation returns to step 1702.
Conversely, if security provider administrator 402 determines at step 1708 that the Internet address is not stored in trusted web pages database 508, such determination indicates that further analysis is warranted. In that situation, the operation continues to a step 1712.
At step 1712, security provider administrator 402 determines whether the Internet address is stored in mistrusted web pages database 506. If so, such determination indicates that the Internet address represents a mistrusted (“spoof”) web page (e.g., screen 900 of
Conversely, if security provider administrator 402 determines at step 1712 that the Internet address is not stored in the mistrusted web pages database 506, such determination indicates that further analysis is warranted. In that situation, the operation continues to a step 1714.
At step 1714, security provider administrator 402 performs one or more of the following analyses: an Internet address analysis, a content analysis, a layout analysis, a site analysis, and a reaction analysis. Each of these analyses is discussed in more detail hereinbelow.
The Internet address analysis determines whether a potential spoof web page is likely misrepresented by analyzing the web page's Internet address information (e.g., Uniform Resource Locator (“URL”)). More specifically, the Internet address analysis determines a likelihood that the web page (associated with a particular URL) is a spoof web page by detecting an extent to which the web page's URL implements techniques for deceiving a user. For example, a spoof web page's URL often includes a widely known trusted URL or a part of such a URL, followed by a lengthy and complicated series of characters. The lengthy and complicated series of characters have an objective of concealing the actual URL, which is associated with the spoof web page. The following hypothetical example URL is associated with a spoofweb page:
http://www.wholesecurity.com%20long%20complicated%20@www.spoofsite.com
A user may be deceived into perceiving that such URL is associated with “www.wholesecurity.com.” However, in this example, such URL's substantive web page-identifying portion is www.spoofsite.com, which follows the “@” symbol. Accordingly, such URL is actually associated with “www.spoofsite.com” instead of “www.wholesecurity.com.” The content analysis determines whether a potential spoof web page is likely misrepresented by analyzing the web page's content. More specifically, the content analysis determines a likelihood that the web page (associated with a particular URL) is a spoof web page by detecting an extent to which the web page's content implements techniques for deceiving a user. For example, a spoof web page's content often includes (a) content for deceiving a user to believe that the user is viewing a trusted web page, and (b) content for performing operations which harm the user (e.g., by obtaining the user's confidential, sensitive and/or financial information via information entry fields).
Accordingly, in response to determining that the web page's content includes a predetermined content, the content analysis determines that the web page is likely misrepresented as a trusted web page. For example, the content analysis detects: (a) whether the title or body of the web page's markup language content (e.g., HTML or XML content) includes a trusted web page's logo or name; and (b) whether the web page includes a form (e.g., including an information entry field) that ask a user to enter confidential, sensitive and/or financial information (e.g., the user's credit card account information or the user's bank account information).
The layout analysis determines whether a potential spoof web page is likely misrepresented by analyzing the web page's layout (e.g., organization of content) to determine whether the web page simulates or mimics a layout feature of a trusted web page. Accordingly, the layout analysis compares the potential spoof web page's layout to one or more layouts of one or more known mistrusted (e.g., spoof) web pages, so that the layout analysis determines whether the potential spoof web page's layout is similar to a layout of a known mistrusted web page. Such analysis is configurable to detect whether the potential spoof web page's layout is similar to the layout of the known mistrusted web page in any of the following ways, according to a specified preference of a security provider, e-commerce provider, or customer: (a) substantially similar, (b) substantially identical, and/or (c) exactly identical. Likewise, the layout analysis compares a potential spoof web page's layout to one or more layouts of one or more web pages that are known targets of web page spoofing (e.g., a web page of a known trusted e-commerce provider), so that the analysis determines whether the potential spoof web page's layout is similar to a layout of a known trusted web page.
A website includes one or more web pages. In comparison to a trusted website, a spoof website has: (a) a relatively young age; (b) relatively smaller size (e.g., relatively few hyperlinks to other web pages of the spoof website); and (c) and relatively few hyperlinks to it by known trusted web page resources, and vice versa. Also, unlike a trusted website, in an effort to avoid detection, operators of spoof websites frequently change the server (e.g., spoof server 114) on which the spoof website is hosted. Moreover, a spoof website is more likely to include hyperlinks to specified types of web pages that are infrequently hyperlinked by trusted websites.
Accordingly, the site analysis determines whether a potential spoof web page is likely misrepresented by analyzing information associated with the web page's website, so that such information is compared with known trusted websites. In at least one embodiment, such information includes: (a) an age (e.g., length of time of activity) of the potential spoof web page's website; (b) a size (e.g., a number of web pages) of the potential spoof web page's website; (c) a number of hyperlinks to the potential spoof web page's website by known trusted web pages, and vice versa; (d) a length of time (e.g., duration) that the potential spoof web page's website has been hosted by the website's server; and (e) whether the potential spoof web page's website includes hyperlinks to specified types of web pages that are infrequently hyperlinked by trusted websites.
The reaction analysis determines whether a potential spoof web page is likely misrepresented as a trusted resource by outputting a signal to a computing system (e.g., spoof server 114) that hosts the web page and analyzing the computing system's response (e.g., reaction) thereto. For example, the signals include information requested by information entry fields embedded in the web page. A spoof web page's response (from its associated spoof server that hosts the spoof web page) is frequently different from a similar trusted web page's response (from its associated trusted server that hosts the trusted web page). Accordingly, the reaction analysis compares the potential spoof web page's response to the similar trusted web page's response.
After step 1714, the operation continues to a step 1716, where security provider administrator 402 determines (e.g., generates) a score indicating a likelihood that the Internet address represents a spoof web page, in response to the analyses performed at steps 1704 and 1714.
In at least one embodiment, in response to each of analyses performed at steps 1704 and 1714, security provider administrator 402 outputs a respective indication of whether the web page is likely misrepresented as a trusted web page. Accordingly, at step 1716, security provider administrator 402 generates a score in response to a scoring algorithm, which weighs each of the respective indications from each of the analyses performed at steps 1704 and 1714. After step 1716, the operation continues to a step 1718.
At step 1718, security provider administrator 402 determines whether the score generated at 1716 exceeds a first threshold value. If so, the score indicates that the web page associated with the Internet address is likely a mistrusted web page. If security provider administrator 402 determines that the score exceeds the first threshold value, the operation continues to step 1724.
At step 1724, security provider administrator 402 outputs (to update/notification process 504) an analysis indicating that the Internet address likely represents a mistrusted web page. After step 1724, the operation returns to step 1702.
Referring again to step 1718, if security provider administrator 402 determines that the score does not exceed the first threshold value, the operation continues to a step 1720. At step 1720, security provider administrator 402 determines whether the score is less than a second threshold value. If so, the score indicates that the web page associated with the Internet address is likely a trusted web page. If security provider administrator 402 determines that the score is less than the second threshold value, the operation continues to step 1710. In the illustrative embodiment, the first threshold value is higher than the second threshold value. In an alternative embodiment, the first threshold value is equal to the second threshold value. At step 1710, security provider administrator 402 outputs (to update/notification process 504) an analysis indicating that the Internet address likely represents a trusted web page. After step 1710, the operation returns to step 1702.
Referring again to step 1720, if security provider administrator 402 determines that the score is not less than the second threshold value, the score indicates that the web page associated with the Internet address is inconclusively either a trusted web page or a mistrusted web page. Accordingly, the Internet address represents a neutral web page, and the operation continues to a step 1722.
At step 1722, security provider administrator 402 outputs (to update/notification process 504) an analysis indicating that the Internet address represents a neutral web page. After step 1722, the operation returns to step 1702.
At step 1804, security provider administrator 402 determines whether the received analysis indicates that the Internet address (associated with the analysis) represents a mistrusted web page. If so, the operation continues to a step 1806, where security provider administrator 402 determines whether it is specified to output the analysis to human system manager 406 for further analysis. If so, the operation continues to a step 1808.
At step 1808, security provider administrator 402 outputs the analysis to human system manager 406 for further analysis. After step 1808, the operation continues to a step 1820, where security provider administrator 402 outputs the analysis to an e-commerce provider (e.g., e-commerce provider 102). After step 1820, the operation returns to step 1802.
Referring again to step 1806, if security provider administrator 402 is not specified to output the analysis to human system manager 406 for further analysis, the operation continues to a step 1810. At step 1810, security provider administrator 402 writes the Internet address (associated with the analysis) for storage in mistrusted web pages database 506. After step 1810, the operation continues to step 1820.
Referring again to step 1804, if the received analysis indicates that the Internet address (associated with the analysis) does not represent a mistrusted web page, the operation continues to a step 1812. At step 1812, the security provider administrator 402 determines whether the received analysis indicates that the Internet address (associated with the analysis) represents a trusted web page. If so, the operation continues to a step 1814.
At step 1814, security provider administrator 402 determines whether it is specified to output the analysis to human system manager 406 for further analysis. If so, the operation continues to a step 1816, where security provider administrator 402 outputs the analysis to human system manager 406 for further analysis. After step 1808, the operation continues to a step 1820.
Conversely, if security provider administrator 402 determines at step 1814 that it is not specified to output the analysis to human system manager 406 for further analysis, the operation continues to a step 1818. At step 1818, security provider administrator 402 writes the Internet address (associated with the analysis) for storage in trusted web pages database 508. After step 1818, the operation continues to step 1820.
Referring again to
In the illustrative embodiment, client 602 downloads (e.g., receives) and stores its copy of plug-in 706 from a trusted source (e.g., security provider 120 or e-commerce provider 102) through network 118. Such copy of plug-in 706 is executed by client 602.
Moreover, in response to its execution of update process 712, client 602 updates its copy of detection process 708, analysis process 710, mistrusted web pages database 716, and trusted web pages database 718. While executing update process 712, client 602 determines whether its copy of detection process 708 is up-to-date. If so, client 602 continues with normal operation. Conversely, if client 602 determines that its copy of detection process 708 is not up-to-date, client 602 downloads and stores an up-to-date version of detection process 708 from a trusted source (e.g., security provider 120 or e-commerce provider 102).
In response to its execution of update process 712, entity customer administrator 802: (a) downloads and stores its copy of plug-in 706 from a trusted source (e.g., security provider 120 or e-commerce provider 102) through network 118, similar to the manner in which client 602 downloads its copy; (b) updates its copy of detection process 708, analysis process 710, mistrusted web pages database 716, and trusted web pages database 718, similar to the manner in which client 602 updates its copy; and (c) outputs them to its connected clients (e.g., client 804) while executing its copy of update process 712.
As shown in
At step 1904, client 602 determines whether the Internet address is stored in trusted web pages database 718. If client 602 determines that the Internet address is stored in database 718, such determination indicates that the Internet address represents a trusted web page (and not a spoof web page). Accordingly, the operation continues to a step 1906, where client 602 outputs (to user notification/report process 714) an analysis indicating that the Internet address represents a trusted web page. After step 1906, the operation returns to step 1902.
Referring again to step 1904, if client 602 determines that the Internet address is not stored in trusted web pages database 718, such determination indicates that further analysis by client 602 is warranted. Accordingly, the operation continues to a step 1908.
At step 1908, client 602 determines whether the Internet address is stored in mistrusted web pages database 716. If client 602 determines that the Internet address is stored in mistrusted web pages database 716, such determination indicates that the Internet address represents a mistrusted web page (e.g., as illustrated by screen 900). Accordingly, the operation continues to a step 1920, where client 602 outputs (to user notification/report process 714) an analysis indicating that the Internet address represents a mistrusted web page. After step 1920, the operation returns to step 1902.
Referring again to step 1908, if client 602 determines that the Internet address is not stored in the mistrusted web pages database 716, such determination indicates that further analysis by client 602 is warranted. Accordingly, the operation continues to a step 1910.
At step 1910, client 602 performs one or more analyses, including one or more of: an Internet address analysis, a content analysis, a layout analysis, a site analysis, and a reaction analysis. Each of above analyses is discussed further hereinabove in connection with
In at least one embodiment, in response to each of analyses performed at step 1910, client 602 outputs a respective indication of whether the Internet address likely represents a mistrusted web page. Accordingly, at step 1912, client 602 generates a score in response to a scoring algorithm, which weighs the each of the respective indications from each of the analyses performed at step 1910. After step 1912, the operation continues to a step 1914.
At step 1914, client 602 determines whether the score generated at 1912 exceeds a first threshold value. If so, the score indicates that the web page associated with the Internet address is likely a mistrusted web page. If client 602 determines that the score exceeds the first threshold value, the operation continues to step 1920.
At step 1920, client 602 outputs (to user notification/report process 714) an analysis indicating that the Internet address represents a mistrusted web page. After step 1920, the operation returns to step 1902.
Referring again to step 1914, if client 602 determines that the score does not exceed the first threshold value, the operation continues to a step 1916. At step 1916, client 602 determines whether the score is less than a second threshold value. If so, the score indicates that the web page associated with the Internet address is likely a trusted web page. If client 602 determines that the score is less than the second threshold value, the operation continues to step 1906. In the illustrative embodiment, the first threshold value is higher than the second threshold value. In an alternative embodiment, the first threshold value is equal to the second threshold value.
At step 1906, client 602 outputs (to user notification/report process 714), an analysis indicating that the Internet address represents a trusted web page. After step 1906, the operation returns to step 1902.
Referring again to step 1916, if client 602 determines that the score is not less than the second threshold value, the score indicates that the web page associated with the Internet address is inconclusively either a trusted web page or a mistrusted web page. Accordingly, the Internet address represents a neutral web page, and the operation continues to a step 1918.
At step 1918, client 602 outputs (to user notification/report process 714) an analysis indicating that the Internet address represents a neutral web page. After step 1918, the operation returns to step 1902.
At step 2004, client 602 determines whether the received analysis indicates that the Internet address (associated with the analysis) represents a trusted web page. If so, the operation continues to a step 2006, where client 602 outputs a screen (e.g., screen 1300) to a display device. (e.g., display device 208), and/or outputs audio signals to speakers (e.g., internal speakers of computing system 200), indicating that the Internet address (associated with the analysis) represents a trusted web page. After step 2006, the operation returns to step 2002.
Conversely, if the received analysis indicates that the Internet address (associated with the analysis) does not represent a trusted web page, the operation continues from step 2004 to a step 2008. At step 2008, client 602 determines whether the received analysis indicates that the Internet address (associated with the analysis) represents a mistrusted web page. If so, the operation continues to a step 2010.
At step 2010, client 602's computer outputs a screen (e.g., screen 1200) to a display device (e.g., display device 208), and/or outputs audio signals to speakers (e.g., internal speakers of computing system 200), indicating that the Internet address (associated with the analysis) represents a mistrusted web page. After step 2010, the operation continues to step 2014.
Referring again to
As shown in
Screen 1200 also includes a dialog box 1204, which is a region of screen 1200 for displaying various information to a user (e.g., human user 604) about a mistrusted web page. Dialog box 1204 includes buttons 1206, 1208, 1210, and 1212, respectively clickable by the user for selectively causing client 602 to perform various operations. For example, in response to the user clicking button 1206, client 602 causes web browser 704 to display the user's pre-defined homepage. In response to the user clicking button 1208, client 602 causes web browser 704 to display the mistrusted web page that is represented by the Internet address. In response to the user clicking button 1210, client 602 closes web browser 704 (e.g., ceases executing web browser 704). In response to the user clicking button 1210, client 602 outputs the Internet address (representing a mistrusted web page) to security provider 120 through network 118.
In an alternative embodiment, in response to client 602 determining that the Internet address represents a mistrusted web page, the display device of client 602 does not display dialog box 1204, but instead displays a message (in tool bar 1202) indicating that the Internet address represents a misrepresented web page. In at least one version of such alternative embodiment, client 602 does not display the web page (represented by the Internet address) in web browser 704.
Referring again to
Referring again to step 2008, if client 602 determines that the received analysis indicates that the Internet address (associated with the analysis) does not represent a mistrusted web page, the operation continues to a step 2012. At step 2012, client 602 outputs a screen (e.g., screen 1300) to a display device (e.g., display device 208), and/or outputs audio signals to speakers (e.g., internal speakers of computing system 200), indicating that the Internet address (associated with the analysis) represents a neutral web page. After step 2012, the operation continues to step 2014.
Referring again to
Computer-readable medium 212 stores (e.g., encodes, or records, or embodies) functional descriptive material (e.g., including but not limited to software (also referred to as computer programs or applications) and data structures). Such functional descriptive material imparts functionality when encoded on computer-readable medium 212. Also, such functional descriptive material is structurally and functionally interrelated to computer-readable medium 212.
Within such functional descriptive material, data structures define structural and functional interrelationships between such data structures and computer-readable medium 212 (and other aspects of computer 204, computing system 200 and system 100). Such interrelationships permit the data structures' functionality to be realized. Also, within such functional descriptive material, computer programs define structural and functional interrelationships between such computer programs and computer-readable medium 212 (and other aspects of computer 204, computing system 200 and system 100). Such interrelationships permit the computer programs' functionality to be realized.
For example, computer 204 reads (e.g., accesses or copies) such functional descriptive material from computer-readable medium 212 into the memory device of computer 204, and computer 204 performs its operations (as described elsewhere herein) in response to such material which is stored in the memory device of computer 204. More particularly, computer 204 performs the operation of processing a computer application (that is stored, encoded, recorded or embodied on a computer-readable medium) for causing computer 204 to perform additional operations (as described elsewhere herein). Accordingly, such functional descriptive material exhibits a functional interrelationship with the way in which computer 204 executes its processes and performs its operations.
Further, the computer-readable medium is an apparatus from which the computer application is accessible by computer 204, and the computer application is processable by computer 204 for causing computer 204 to perform such additional operations. In addition to reading such functional descriptive material from computer-readable medium 212, computer 204 is capable of reading such functional descriptive material from (or through) network 112 which is also a computer-readable medium (or apparatus). Moreover, the memory device of computer 204 is itself a computer-readable medium (or apparatus).
Although illustrative embodiments have been shown and described, a wide range of modification, change and substitution is contemplated in the foregoing disclosure and, in some instances, some features of the embodiments may be employed without a corresponding use of other features.
This application claims priority to coassigned U.S. Provisional Patent Application No. 60/433,345, filed Dec. 13, 2002, entitled METHOD AND APPARATUS FOR PROTECTING ONLINE USERS FROM SPOOF SITES USED TO PERFORM ONLINE IDENTITY THEFT AND FRAUD, naming Alagna et al. as inventors, which is incorporated herein by reference in its entirety.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5121345 | Lentz | Jun 1992 | A |
| 5377354 | Scannell et al. | Dec 1994 | A |
| 5438433 | Reifman et al. | Aug 1995 | A |
| 5440723 | Arnold et al. | Aug 1995 | A |
| 5537540 | Miller et al. | Jul 1996 | A |
| 5557789 | Mase et al. | Sep 1996 | A |
| 5619648 | Canale et al. | Apr 1997 | A |
| 5634005 | Matsuo | May 1997 | A |
| 5649182 | Reitz | Jul 1997 | A |
| 5675507 | Bobo, II | Oct 1997 | A |
| 5678041 | Baker et al. | Oct 1997 | A |
| 5696898 | Baker et al. | Dec 1997 | A |
| 5790789 | Suarez | Aug 1998 | A |
| 5796948 | Cohen | Aug 1998 | A |
| 5802277 | Cowlard | Sep 1998 | A |
| 5809242 | Shaw et al. | Sep 1998 | A |
| 5822527 | Post | Oct 1998 | A |
| 5826022 | Nielsen | Oct 1998 | A |
| 5835087 | Herz | Nov 1998 | A |
| 5845263 | Camaisa et al. | Dec 1998 | A |
| 5862325 | Reed et al. | Jan 1999 | A |
| 5864684 | Nielsen | Jan 1999 | A |
| 5870546 | Kirsch | Feb 1999 | A |
| 5870548 | Nielsen | Feb 1999 | A |
| 5874955 | Rogowitz et al. | Feb 1999 | A |
| 5884033 | Duvall et al. | Mar 1999 | A |
| 5889943 | Ji et al. | Mar 1999 | A |
| 5905863 | Knowles et al. | May 1999 | A |
| 5919257 | Trostle | Jul 1999 | A |
| 5930479 | Hall | Jul 1999 | A |
| 5956481 | Walsh et al. | Sep 1999 | A |
| 5968117 | Schuetze | Oct 1999 | A |
| 5978837 | Foladare et al. | Nov 1999 | A |
| 5999932 | Paul | Dec 1999 | A |
| 5999967 | Sundsted | Dec 1999 | A |
| 6023700 | Owens et al. | Feb 2000 | A |
| 6023723 | McCormick et al. | Feb 2000 | A |
| 6052709 | Paul | Apr 2000 | A |
| 6073165 | Narasimhan et al. | Jun 2000 | A |
| 6088804 | Hill et al. | Jul 2000 | A |
| 6112227 | Heiner | Aug 2000 | A |
| 6146026 | Ushiku | Nov 2000 | A |
| 6157630 | Adler et al. | Dec 2000 | A |
| 6158031 | Mack et al. | Dec 2000 | A |
| 6161130 | Horvitz et al. | Dec 2000 | A |
| 6173364 | Zenchelsky et al. | Jan 2001 | B1 |
| 6182118 | Finney et al. | Jan 2001 | B1 |
| 6182227 | Blair et al. | Jan 2001 | B1 |
| 6189026 | Birrell et al. | Feb 2001 | B1 |
| 6195686 | Moon et al. | Feb 2001 | B1 |
| 6199102 | Cobb | Mar 2001 | B1 |
| 6216165 | Woltz et al. | Apr 2001 | B1 |
| 6226630 | Billmers | May 2001 | B1 |
| 6230156 | Hussey | May 2001 | B1 |
| 6266774 | Sampath et al. | Jul 2001 | B1 |
| 6272641 | Ji | Aug 2001 | B1 |
| 6314454 | Wang et al. | Nov 2001 | B1 |
| 6327610 | Uchida et al. | Dec 2001 | B2 |
| 6330588 | Freeman | Dec 2001 | B1 |
| 6334140 | Kawamata | Dec 2001 | B1 |
| 6360254 | Linden et al. | Mar 2002 | B1 |
| 6377949 | Gilmour | Apr 2002 | B1 |
| 6393568 | Ranger et al. | May 2002 | B1 |
| 6411947 | Rice et al. | Jun 2002 | B1 |
| 6421709 | McCormick et al. | Jul 2002 | B1 |
| 6438125 | Brothers | Aug 2002 | B1 |
| 6438608 | Biliris et al. | Aug 2002 | B2 |
| 6466966 | Kirsch et al. | Oct 2002 | B1 |
| 6505237 | Beyda et al. | Jan 2003 | B2 |
| 6523120 | Strasnick | Feb 2003 | B1 |
| 6546416 | Kirsch | Apr 2003 | B1 |
| 6549957 | Hanson et al. | Apr 2003 | B1 |
| 6571275 | Dong et al. | May 2003 | B1 |
| 6654787 | Aronson et al. | Nov 2003 | B1 |
| 6671812 | Balasubramaniam et al. | Dec 2003 | B1 |
| 6718321 | Birrell et al. | Apr 2004 | B2 |
| 6732157 | Gordon et al. | May 2004 | B1 |
| 6757713 | Ogilvie et al. | Jun 2004 | B1 |
| 6785732 | Bates et al. | Aug 2004 | B1 |
| 6792543 | Pak et al. | Sep 2004 | B2 |
| 6836272 | Leung et al. | Dec 2004 | B2 |
| 6859833 | Kirsch et al. | Feb 2005 | B2 |
| 7010698 | Sheymov | Mar 2006 | B2 |
| 7072944 | Lalonde et al. | Jul 2006 | B2 |
| 7093121 | Barton et al. | Aug 2006 | B2 |
| 7096500 | Roberts et al. | Aug 2006 | B2 |
| 7114177 | Rosenberg et al. | Sep 2006 | B2 |
| 7315893 | Vinberg | Jan 2008 | B2 |
| 7331062 | Alagna et al. | Feb 2008 | B2 |
| 20020007301 | Reuning | Jan 2002 | A1 |
| 20020046065 | Nighan | Apr 2002 | A1 |
| 20020116635 | Sheymov | Aug 2002 | A1 |
| 20020147780 | Liu et al. | Oct 2002 | A1 |
| 20020150243 | Craft et al. | Oct 2002 | A1 |
| 20020174137 | Wolff et al. | Nov 2002 | A1 |
| 20030033536 | Pak et al. | Feb 2003 | A1 |
| 20030097451 | Bjorksten et al. | May 2003 | A1 |
| 20030159070 | Mayer et al. | Aug 2003 | A1 |
| 20030174137 | Leung et al. | Sep 2003 | A1 |
| 20040054917 | Obrecht et al. | Mar 2004 | A1 |
| 20040064736 | Obrecht et al. | Apr 2004 | A1 |
| 20040078422 | Toomey | Apr 2004 | A1 |
| 20040088570 | Roberts et al. | May 2004 | A1 |
| 20040098607 | Alagna et al. | May 2004 | A1 |
| 20040177120 | Kirsch et al. | Sep 2004 | A1 |
| 20040187023 | Alagna et al. | Sep 2004 | A1 |
| 20040230820 | Hui Hsu et al. | Nov 2004 | A1 |
| 20050050222 | Packer | Mar 2005 | A1 |
| 20050081059 | Bandini et al. | Apr 2005 | A1 |
| 20050108339 | Gleeson et al. | May 2005 | A1 |
| 20050108340 | Gleeson et al. | May 2005 | A1 |
| 20050137980 | Bullock et al. | Jun 2005 | A1 |
| 20060031298 | Hasegawa | Feb 2006 | A1 |
| 20060053490 | Herz et al. | Mar 2006 | A1 |
| 20060168006 | Shannon et al. | Jul 2006 | A1 |
| 20060251068 | Judge et al. | Nov 2006 | A1 |
| 20060288076 | Cowings et al. | Dec 2006 | A1 |
| 20070101423 | Oliver et al. | May 2007 | A1 |
| 20070143432 | Klos et al. | Jun 2007 | A1 |
| Number | Date | Country |
|---|---|---|
| 0375138 | Jun 1990 | EP |
| 0420779 | Apr 1991 | EP |
| 0720333 | Jul 1996 | EP |
| 2271002 | Mar 1994 | GB |
| 10240649 | Jun 1998 | JP |
| 9635994 | Nov 1996 | WO |
| 9837680 | Aug 1998 | WO |
| 0203178 | Jan 2002 | WO |
| WO 0203178 | Jan 2002 | WO |
| 02103533 | Dec 2002 | WO |
| WO 02103533 | Dec 2002 | WO |
| 2004021197 | Mar 2004 | WO |
| WO 2004021197 | Mar 2004 | WO |
| 2004055632 | Jul 2004 | WO |
| WO 2004055632 | Jul 2004 | WO |
| 2004072777 | Aug 2004 | WO |
| WO 2004072777 | Aug 2004 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20040123157 A1 | Jun 2004 | US |
| Number | Date | Country | |
|---|---|---|---|
| 60433345 | Dec 2002 | US |
