Systems, methods, user interfaces, and computer-readable media for investigating potential malicious communications

Information

  • Patent Grant
  • 10484407
  • Patent Number
    10,484,407
  • Date Filed
    Wednesday, March 15, 2017
    7 years ago
  • Date Issued
    Tuesday, November 19, 2019
    5 years ago
Abstract
A data analysis system receives potentially undesirable electronic communications and automatically groups them in computationally-efficient data clusters, automatically analyze those data clusters, automatically tags and groups those data clusters, and provides results of the automated analysis and grouping in an optimized way to an analyst. The automated analysis of the data clusters may include an automated application of various criteria or rules so as to generate an ordered display of the groups of related data clusters such that the analyst may quickly and efficiently evaluate the groups of data clusters. In particular, the groups of data clusters may be dynamically re-grouped and/or filtered in an interactive user interface so as to enable an analyst to quickly navigate among information associated with various groups of data clusters and efficiently evaluate those data clusters.
Description
BACKGROUND

Embodiments of the present disclosure generally relate to identifying phishing, spam, and malicious electronic communications.


Phishing communications are unsolicited electronic communications, from fraudulent senders masquerading as trustworthy entities, seeking sensitive information from recipients of the unsolicited electronic communications. Spam communications are unsolicited bulk communications akin to electronic junk mail. Malicious communications include unsolicited communications sent with the intention of disrupting the recipient's computer or network communications intended to install “malware” (hostile or intrusive software, in the form of executable code, scripts, active content, and other software, which includes computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs). It is important for local network administrators to identify such communications and take appropriate actions to protect the local network or the recipients' computers or sensitive information. In this disclosure, the term “undesirable electronic communications” or “undesirable communications” encompasses, among other things, phishing, spam, and other malicious electronic communications, including those discussed above and others described herein.


SUMMARY

A recipient of a potentially undesirable electronic communication can forward the electronic communication to an administrator. A computer-implemented data analysis system can group the potentially undesirable electronic communication with any other similar potentially undesirable electronic communications in a data cluster and classify the data cluster with a classification reflecting a priority for assessing the potentially undesirable electronic communication(s) in the data cluster. The system can also generate user interface data for rendering an interactive user interface allowing an analyst to view the context and scope of the data cluster and triage all potentially undesirable electronic communication(s) in the data cluster as a group. The systems, methods, and devices described herein each have several aspects, no single one of which is solely responsible for its desirable attributes. Without limiting the scope of this disclosure, several non-limiting features will now be discussed briefly.


Embodiments of the present disclosure relate to a data analysis system that may automatically generate memory-efficient clustered data structures, automatically analyze those clustered data structures, automatically tag and group those clustered data structures in tiers, and provide results of the automated analysis and grouping in an optimized way to an analyst. The automated analysis of the clustered data structures (also referred to herein as “data clusters” or simply “clusters”) may include an automated application of various criteria or rules so as to generate a tiled display of the tiers of related data clusters such that the analyst may quickly and efficiently evaluate the tiers of data clusters. In particular, the tiers of data clusters may be dynamically re-grouped and/or filtered in an interactive user interface so as to enable an analyst to quickly navigate among information associated with various tiers and efficiently evaluate the tiers of data clusters.


As described below, tiers of data clusters may include one or more potentially undesirable electronic communications, such as emails, text messages, newsgroup postings, and the like. In an example application, a human analyst may be tasked with deciding whether potentially undesirable electronic communication represents a phishing, spam, or malicious communication. In a very large local network, such as in a company employing hundreds of thousands of employees, such decisions may require a large team of analysts evaluating massive numbers of individual electronic communications. Certain embodiments include the inventive realization that grouping related potentially undesirable electronic communications in a data cluster can reduce the labor required for such decision making by allowing for triage of all potentially undesirable electronic communication(s) in the data cluster as a group.


Moreover, an individual potentially undesirable electronic communication often includes insufficient information for the analyst to effectively make such decisions. For example, the analyst could initiate an investigation with a single potentially undesirable electronic communications, such as a potentially malicious email. If the analyst examined this email by itself, then the analyst may not observe any suspicious characteristics. Certain embodiments include the inventive realization that an analyst may make better decisions based on a collection of related potentially undesirable electronic communications. For instance, two malicious emails may be related by an identical sender or similar subject fields. By viewing the emails in the context of a data cluster, the analyst could discover additional potentially undesirable electronic communications relating to the original email because of a shared characteristic. The analyst could then mark all the potentially undesirable electronic communications in the data cluster as malicious, based on the shared characteristic.


As described herein, various embodiments of the data analysis system of the present disclosure automatically create clusters of related potentially undesirable electronic communications, tags and groups the clusters in tiers, and generates an interactive user interface in which, in response to inputs from the analyst, information related to the tiers of clusters may be efficiently provided to the analyst. Accordingly, the analyst may be enabled to efficiently evaluate the tiers of clusters.


Generation of the memory-efficient clustered data structures may be accomplished by selection of one or more initial potentially undesirable electronic communication of interest (also referred to herein as “seeds”), adding of the initial potentially undesirable electronic communication to the memory-efficient clustered data structure (or, alternatively, designating the initial potentially undesirable electronic communication as the clustered data structure, or an initial iteration of the clustered data structure), and determining and adding one or more related potentially undesirable electronic communications to the cluster. The number of potentially undesirable electronic communications in the cluster may be several orders of magnitude smaller than in the entire electronic collection of data described above because only potentially undesirable electronic communication related to each other are included in the clusters.


Additionally, the automated analysis and scoring of clusters (as mentioned above) may enable highly efficient evaluation of the various data clusters by a human analyst. For example, the interactive user interface is generated so as to enable an analyst to quickly view critical groups of data clusters (as determined by automated grouping in tiers), and then in response to analyst inputs, view and interact with the generated information associated with the clusters. In response to user inputs the user interface may be updated to display data associated with each of the generated groups of clusters if the analyst desires to dive deeper into data associated with a given group of clusters.


In various embodiments, seeds may be automatically selected/generated according to various seed determination strategies, and clusters of related potentially undesirable electronic communications may be generated based on those seeds and according to cluster generation strategies (also referred to herein as “cluster strategies”). Also, as mentioned above, the system may rank or prioritize the generated clusters. High priority clusters may be of greater interest to an analyst as they may contain related potentially undesirable electronic communications that meet particular criteria related to the analyst's investigation. In an embodiment, the system may enable an analyst to advantageously start an investigation with a prioritized cluster, or group of clusters, including many related potentially undesirable electronic communications rather than a single randomly selected potentially undesirable electronic communications. Further, as described above, the cluster prioritization may enable the processing requirements of the analyst's investigation to be highly efficient as compared to processing of the huge collection of data described above. As mentioned above, this is because, for example, a given investigation by an analyst may only require storage in memory of a limited number of potentially undesirable electronic communications associated with a small number of clusters, and further, a number of potentially undesirable electronic communications in a cluster may be several orders of magnitude smaller than in the entire electronic collection of data described above because only potentially undesirable electronic communications related to each other are included in the cluster. Further, an analyst may not need to view many (or, alternatively, any) potentially undesirable electronic communications associated with a cluster to evaluate the cluster, but rather may evaluate the cluster based on the automatically generated cluster information.


In various embodiments, grouping of related data clusters enables an analyst to review the data in a logical way. For example, the data clusters may be tagged and grouped according to a recipient's position in the local network. Further, when a group of related data clusters is determined by the analyst to not be important, the analyst may quickly dismiss all potentially undesirable electronic communications of that group of clusters, rather than each potentially undesirable electronic communication separately. This advantageously enables computationally-efficient processing, allowing analysts to process entire clusters with one click rather than email by email.


According to an embodiment, a computer system is disclosed, the system comprising one, some, or all of the following features, as well as features described elsewhere in this disclosure. The system can comprise one or more computer readable storage devices configured to store one or more software modules including computer executable instructions, records of first electronic communications to internal recipients within a local network for a period of time, the records reflecting, for each of the first electronic communications, a plurality of characteristics, and/or a plurality of prescreened electronic communications, at least some of the prescreened electronic communications in the first electronic communications, each prescreened electronic communication preliminarily identified as a potential undesirable electronic communication, and each prescreened electronic communication comprising the plurality of characteristics.


The system can also comprise one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the one or more software modules in order to cause the computer system to: access, from the one or more computer readable storage devices, the plurality of prescreened electronic communications and the records; group, from the plurality of prescreened electronic communications, a data cluster of the prescreened electronic communications sharing a similar characteristic from the plurality of characteristics; based on a first characteristic associated with the data cluster and the same first characteristics of the records, identify recipients associated with the data cluster from the first electronic communications; based on one or more attributes of the data cluster, classify the data cluster with a classification reflecting a priority for assessing whether the prescreened electronic communications associated with the data cluster are undesirable electronic communications, such that, once initiated, the classifying is performed by the one or more hardware computer processors, without the need for manually performing the classifying; generate user interface data for rendering an interactive user interface on a computing device, the interactive user interface including an element selectable by a user, the selectable element reflecting the classification; and/or update the user interface data such that, after the selectable element is selected by the user, the interactive user interface further includes informational data regarding the data cluster, the informational data reflecting the recipients associated with the data cluster.


According to an aspect, the plurality of characteristics can comprise a from field corresponding to a purported author of the respective first electronic communication, one or more recipient fields corresponding to the recipients of the respective first electronic communication, and a subject field corresponding to a purported topic of the respective first electronic communication.


According to another aspect, the one or more attributes can comprise the number of prescreened electronic communications in the data cluster. The one or more attributes can comprise an identity of one or more recipients of the prescreened electronic communications in the data cluster. Each prescreened electronic communication can further comprise a message body, and the one or more hardware computer processors in communication with the one or more computer readable storage devices can be configured to execute the one or more software modules in order to cause the computer system to parse the message body for any uniform resource locators. The one or more attributes can comprise a determination that the message body includes at least one uniform resource locator.


According to yet another aspect, the computer system can further comprise a network connection configured to access, from one or more remote networks not within the local network, one or more domain name system blackhole lists or real-time blackhole lists, the one or more attributes comprising a determination that the message body includes at least one uniform resource locator, or a portion thereof, on the domain name system blackhole list(s) or real-time blackhole list(s). The one or more computer readable storage devices can be further configured to store a log of requests from the local network seeking resources outside the local network, and the one or more hardware computer processors in communication with the one or more computer readable storage devices can be configured to execute the one or more software modules in order to cause the computer system to identify instances in the log indicating a request from the local network seeking a parsed uniform resource locator. The informational data can further reflect an identification of the instances in the log.


According to another aspect, the one or more hardware computer processors in communication with the one or more computer readable storage devices can be configured to execute the one or more software modules in order to further cause the computer system to receive a disposition from the user that the prescreened electronic communications associated with the data cluster are undesirable electronic communications. The one or more hardware computer processors in communication with the one or more computer readable storage devices can be configured to execute the one or more software modules in order to further cause the computer system to, based on the disposition, transmit an electronic notification to the recipients associated with the data cluster.


According to an embodiment, a computer-implemented method is disclosed, the method comprising one, some, or all of the following features, as well as features described elsewhere in this disclosure. The method can comprise, as implemented by one or more computer readable storage devices configured to store one or more software modules including computer executable instructions, and by one or more hardware computer processors in communication with the one or more computer readable storage devices configured to execute the one or more software modules, accessing, from the one or more computer readable storage devices, a plurality of electronic communications, each comprising a message body, a from field corresponding to a purported author of the respective prescreened electronic communication, and a subject field corresponding to a purported topic of the respective prescreened electronic communication, grouping, from the plurality of electronic communications, a data cluster of the electronic communications sharing a similar from field or a similar subject field, and/or accessing, from one or more remote networks, one or more domain name system blackhole lists or real-time blackhole lists.


The method can further comprise, for one or more of the electronic communications in the data cluster, parsing the respective message body for uniform resource locators, based at least in part on a determination that the message body includes at least one uniform resource locator, or a portion thereof, on the domain name system blackhole list(s) or real-time blackhole list(s), classifying the data cluster with a classification reflecting a priority for assessing whether the electronic communications associated with the data cluster are undesirable electronic communications, such that, once initiated, the classifying is performed by the one or more hardware computer processors, without the need for manually performing the classifying, generating user interface data for rendering an interactive user interface on a computing device, the interactive user interface including an element selectable by a user, the selectable element reflecting the classification, and/or updating the user interface data such that, after the selectable element is selected by the user, the interactive user interface further includes informational data regarding the data cluster.


According to an aspect, each electronic communication can further comprise the one or more recipient fields. The computer-implemented method can further comprise accessing records of first electronic communications to internal recipients within a local network for a period of time, the records reflecting, for each of the first electronic communications, a from field corresponding to a purported author of the respective first electronic communication, one or more recipient fields corresponding to the recipients of the respective first electronic communication, and a subject field corresponding to a purported topic of the respective first electronic communication.


According to another aspect, the computer-implemented method can further comprise, based on the from field or the subject field associated with the data cluster and the from fields or the subject fields of the records, identifying additional recipients associated with the data cluster from the first electronic communications. The classifying can be further based, at least in part, on an identity of one or more the recipients of the electronic communications in the data cluster.


According to yet another aspect, the method can further comprise accessing a log of requests from the local network seeking resources outside the local network; and identifying instances in the log indicating a request from the local network seeking a parsed uniform resource locator. The informational data can comprise an identification of the instances in the log.


According to another aspect, the method can further comprise receiving a disposition from the user that the electronic communications associated with the data cluster are undesirable electronic communications. The method can further comprise, based on the disposition, transmitting an electronic notification to recipients associated with the data cluster and the additional recipients.


In various embodiments, computer-implemented methods are disclosed in which, under control of one or more hardware computing devices configured with specific computer executable instructions, one or more aspects of the above-described embodiments are implemented and/or performed.


In various embodiments, a non-transitory computer-readable storage medium storing software instructions is disclosed that, in response to execution by a computer system having one or more hardware processors, configure the computer system to perform operations comprising one or more aspects of the above-described embodiments.


Further, as described herein, a data analysis system may be configured and/or designed to generate user interface data useable for rendering the various interactive user interfaces described. The user interface data may be used by the system, and/or another computer system, device, and/or software program (for example, a browser program), to render the interactive user interfaces. The interactive user interfaces may be displayed on, for example, electronic displays (including, for example, touch-enabled displays).


Additionally, it has been noted that design of computer user interfaces “that are useable and easily learned by humans is a non-trivial problem for software developers.” (Dillon, A. (2003) User Interface Design. MacMillan Encyclopedia of Cognitive Science, Vol. 4, London: MacMillan, 453-458.) The various embodiments of interactive and dynamic user interfaces of the present disclosure are the result of significant research, development, improvement, iteration, and testing. This non-trivial development has resulted in the user interfaces described herein which may provide significant cognitive and ergonomic efficiencies and advantages over previous systems. The interactive and dynamic user interfaces include improved human-computer interactions that may provide reduced mental workloads, improved decision-making, reduced work stress, and/or the like, for an analyst user.


Further, the interactive and dynamic user interfaces described herein are enabled by innovations in efficient interactions between the user interfaces and underlying systems and components. For example, disclosed herein are improved methods of receiving user inputs, translation and delivery of those inputs to various system components (for example, retrieval of clusters), automatic and dynamic execution of complex processes in response to the input delivery (for example, grouping and filtering of clusters), automatic interaction among various components and processes of the system, and/or automatic and dynamic updating of the user interfaces. The interactions and presentation of data via the interactive user interfaces described herein may accordingly provide cognitive and ergonomic efficiencies and advantages over previous systems.


Advantageously, according to various embodiments, the disclosed techniques provide a more effective starting point and user interface for an investigation of potentially undesirable electronic communications of various types. An analyst may be able to start an investigation from a group of clusters of related potentially undesirable electronic communications instead of an individual potentially undesirable electronic communication, which may reduce the amount of time and effort required to perform the investigation. The disclosed techniques may also, according to various embodiments, provide a prioritization of multiple clusters, and dynamic re-grouping of related clusters and cluster filtering. For example, the analyst may also be able to start the investigation from a high priority group of clusters, which may allow the analyst to focus on the most important investigations, and may quickly evaluate that group of clusters based on the efficient user interface generated by the system. In each case, the processing and computational requirements of such an investigation may be significantly reduced due to the creation and use of highly efficient cluster data structures of related potentially undesirable electronic communications.





BRIEF DESCRIPTION OF THE DRAWINGS

The following drawings and the associated descriptions are provided to illustrate embodiments of the present disclosure and do not limit the scope of the claims. Aspects and many of the attendant advantages of this disclosure will become more readily appreciated as the same become better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings, wherein:



FIG. 1 is a block diagram of a server system, as used in an embodiment.



FIG. 2 is a block diagram of a computing system for analyzing potentially undesirable electronic communications, as used in an embodiment.



FIG. 3 is a process of analyzing potentially undesirable electronic communications, as used in an embodiment.



FIG. 4 is process of taking action based on potentially undesirable electronic communications, as used in an embodiment.



FIG. 5 is a process of analyzing potentially undesirable electronic communications and taking action based thereon, as used in an embodiment.



FIG. 6 is a process of analyzing potentially undesirable electronic communications, as used in an embodiment.



FIG. 7 is a data cluster analysis user interface in which multiple data clusters are prioritized, as used in an embodiment.



FIG. 8 is a data cluster analysis user interface showing potentially undesirable electronic communications for a high priority group of data clusters, as used in an embodiment.



FIGS. 9-13 are dossier analysis user interfaces showing informational data regarding a data cluster, as used in an embodiment.



FIGS. 14A and 14B are dossier analysis user interfaces showing informational data regarding a data cluster, as used in an embodiment.





In the drawings, the first one or two digits of each reference number typically indicate the figure in which the element first appears. Throughout the drawings, reference numbers may be reused to indicate correspondence between referenced elements. Nevertheless, use of different numbers does not necessarily indicate a lack of correspondence between elements. And, conversely, reuse of a number does not necessarily indicate that the elements are the same.


DETAILED DESCRIPTION

Although certain preferred embodiments and examples are disclosed below, inventive subject matter extends beyond the specifically disclosed embodiments to other alternative embodiments and/or uses and to modifications and equivalents thereof. Thus, the scope of the claims appended hereto is not limited by any of the particular embodiments described below. For example, in any method or process disclosed herein, the acts or operations of the method or process may be performed in any suitable sequence and are not necessarily limited to any particular disclosed sequence. Various operations may be described as multiple discrete operations in turn, in a manner that may be helpful in understanding certain embodiments; however, the order of description should not be construed to imply that these operations are order dependent. Additionally, the structures, systems, and/or devices described herein may be embodied as integrated components or as separate components. For purposes of comparing various embodiments, certain aspects and advantages of these embodiments are described. Not necessarily all such aspects or advantages are achieved by any particular embodiment. Thus, for example, various embodiments may be carried out in a manner that achieves or optimizes one advantage or group of advantages as taught herein without necessarily achieving other aspects or advantages as may also be taught or suggested herein.


Terms

In order to facilitate an understanding of the systems and methods discussed herein, a number of terms are defined below. The terms defined below, as well as other terms used herein, should be construed broadly to include, without limitation, the provided definitions, the ordinary and customary meanings of the terms, and/or any other implied meanings for the respective terms. Thus, the definitions below do not limit the meaning of these terms, but only provide example definitions.


Database: A broad term for any data structure for storing and/or organizing data, including, but not limited to, relational databases (for example, Oracle database, mySQL database, and the like), spreadsheets, XML files, and text files, among others. The various terms “database,” “data store,” and “data source” may be used interchangeably in the present disclosure.


Potentially undesirable electronic communication: An electronic communication that has been preliminarily screened and identified as a possible undesirable electronic communication but that has not been triaged by a designated analyst and conclusively identified as an undesirable electronic communication. A potentially undesirable electronic communication may represent a document or other unstructured data source such as an e-mail message, a news report, or a written paper or article. Each potentially undesirable electronic communication may be associated with a unique identifier that uniquely identifies it. The preliminary screening can be done by a human recipient. The preliminary screening can be done automatically, without human intervention, by electronic rules or a program.


Cluster: A group or set of one or more related potentially undesirable electronic communications. A cluster may be generated, determined, and/or selected from one or more sets of potentially undesirable electronic communication according to a cluster generation strategy. A cluster may further be generated, determined, and/or selected based on a seed. For example, a seed may comprise an initial potentially undesirable electronic communication of a cluster. Potentially undesirable electronic communications related to the seed may be determined and added to the cluster. Further, additional potentially undesirable electronic communications related to any clustered potentially undesirable electronic communication may also be added to the cluster iteratively as indicated by a cluster generation strategy. Potentially undesirable electronic communications may be related by any common and/or similar properties, metadata, types, relationships, and/or the like. Clusters may also be referred to herein as “data clusters.”


Seed: One or more potentially undesirable electronic communications that may be used as a basis, or starting point, for generating a cluster. A seed may be generated, determined, and/or selected from one or more sets of potentially undesirable electronic communications according to a seed generation strategy. For example, seeds may be generated from potentially undesirable electronic communications accessed from various databases and data sources.


Dossier: A collection of information associated with a cluster or a group of clusters and/or a user interface for displaying such a collection.


Overview


When investigating phishing, spam, or malicious communications, an analyst may have to make decisions regarding a large number of electronic communications that may or may not be related to one another, and which may be stored in an electronic data store or memory. For example, such a collection of data may include hundreds of thousands or millions of potentially undesirable electronic communications, and may consume significant storage and/or memory. Determination and selection of relevant communications within such a collection may be extremely difficult for the analyst. Further, processing of such a large collection of data (for example, as an analyst uses a computer to sift and/or search through large pluralities of potentially undesirable electronic communications) may be extremely inefficient and consume significant processing and/or memory resources.


This disclosure relates to a system for analyzing potentially undesirable electronic communications (also referred to herein as the “system”) in which computationally-efficient clustered data structures (also referred to herein as “clusters”) of related electronic communications may be automatically generated and analyzed, tagged, grouped, and results may be provided for interaction from an analyst, for example. Generation of clusters may begin by automatic generation, determination, and/or selection of one or more initial communications of interest, called “seeds.” Clusters of related electronic communications may be generated based on those seeds and according to cluster generation strategies (also referred to herein as “cluster strategies,” “clustering strategies,” and/or “cluster generation rules”). Seeds and related electronic communications may be accessed from various databases and data sources including, for example, databases maintained by financial institutions, government entities, private entities, public entities, and/or publicly available data sources. Such databases and data sources may include a variety of information and data, such as, for example, computer network-related data, and/or computer-related activity data, among others. Further, the databases and data sources may include various relationships that link and/or associate electronic communications with one another. Various electronic communications and relationships may be stored across different systems controlled by different items and/or institutions. According to various embodiments, the system may bring together data from multiple data sources in order to build clusters.


In the following description, numerous specific details are set forth to provide a more thorough understanding of various embodiments of the present disclosure. It will be apparent to one of skill in the art, however, that the systems and methods of the present disclosure may be practiced without one or more of these specific details.


DESCRIPTION OF THE FIGURES

Embodiments of the disclosure will now be described with reference to the accompanying Figures. The terminology used in the description is not intended to be interpreted in any limited or restrictive manner, simply because it is being utilized in conjunction with a detailed description of certain specific embodiments of the disclosure. Furthermore, embodiments of the disclosure described above and/or below may include several novel features, no single one of which is solely responsible for its desirable attributes or which is essential to practicing the embodiments of the disclosure herein described.


I. Implementation Mechanisms

According to one embodiment, the techniques described herein are implemented by one or more special-purpose computing devices. The special-purpose computing devices may be hard-wired to perform the techniques, or may include digital electronic devices such as one or more application-specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs) that are persistently programmed to perform the techniques, or may include one or more general purpose hardware processors programmed to perform the techniques pursuant to program instructions in firmware, memory, other storage, or a combination. Such special-purpose computing devices may also combine custom hard-wired logic, ASICs, or FPGAs with custom programming to accomplish the techniques. The special-purpose computing devices may be desktop computer systems, server computer systems, portable computer systems, handheld devices, networking devices or any other device or combination of devices that incorporate hard-wired and/or program logic to implement the techniques.


Computing device(s) are generally controlled and coordinated by operating system software, such as iOS, Android, Chrome OS, Windows XP, Windows Vista, Windows 7, Windows 8, Windows Server, Windows CE, Unix, Linux, SunOS, Solaris, iOS, Blackberry OS, VxWorks, or other compatible operating systems. In other embodiments, the computing device may be controlled by a proprietary operating system. Conventional operating systems control and schedule computer processes for execution, perform memory management, provide file system, networking, I/O services, and provide a user interface functionality, such as a graphical user interface (“GUI”), among other things.



FIG. 1 is a block diagram that illustrates a computer system 100 upon which an embodiment may be implemented. For example, any of the computing devices discussed herein may include some or all of the components and/or functionality of the computer system 100.


Computer system 100 includes a bus 102 or other communication mechanism for communicating information, and a hardware processor, or multiple processors, 104 coupled with bus 102 for processing information. Hardware processor(s) 104 may be, for example, one or more general purpose microprocessors.


Computer system 100 also includes a main memory 106, such as a random access memory (RAM), cache and/or other dynamic storage devices, coupled to bus 102 for storing information and instructions to be executed by processor 104. Main memory 106 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 104. Such instructions, when stored in storage media accessible to processor 104, render computer system 100 into a special-purpose machine that is customized to perform the operations specified in the instructions.


Computer system 100 further includes a read only memory (ROM) 108 or other static storage device coupled to bus 102 for storing static information and instructions for processor 104. A storage device 110, such as a magnetic disk, optical disk, or USB thumb drive (Flash drive), etc., is provided and coupled to bus 102 for storing information and instructions.


Computer system 100 may be coupled via bus 102 to a display 112, such as a cathode ray tube (CRT) or LCD display (or touch screen), for displaying information to a computer user. An input device 114, including alphanumeric and other keys, is coupled to bus 102 for communicating information and command selections to processor 104. Another type of user input device is cursor control 116, such as a mouse, a trackball, or cursor direction keys for communicating direction information and command selections to processor 104 and for controlling cursor movement on display 112. This input device typically has two degrees of freedom in two axes, a first axis (e.g., x) and a second axis (e.g., y), that allows the device to specify positions in a plane. In some embodiments, the same direction information and command selections as cursor control may be implemented via receiving touches on a touch screen without a cursor.


Computing system 100 may include a user interface module to implement a GUI that may be stored in a mass storage device as executable software codes that are executed by the computing device(s). This and other modules may include, by way of example, components, such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables.


In general, the word “module,” as used herein, refers to logic embodied in hardware or firmware, or to a collection of software instructions, possibly having entry and exit points, written in a programming language, such as, for example, Java, Lua, C or C++. A software module may be compiled and linked into an executable program, installed in a dynamic link library, or may be written in an interpreted programming language such as, for example, BASIC, Perl, or Python. It will be appreciated that software modules may be callable from other modules or from themselves, and/or may be invoked in response to detected events or interrupts. Software modules configured for execution on computing devices may be provided on a computer readable medium, such as a compact disc, digital video disc, flash drive, magnetic disc, or any other tangible medium, or as a digital download (and may be originally stored in a compressed or installable format that requires installation, decompression or decryption prior to execution). Such software code may be stored, partially or fully, on a memory device of the executing computing device, for execution by the computing device. Software instructions may be embedded in firmware, such as an EPROM. It will be further appreciated that hardware modules may be comprised of connected logic units, such as gates and flip-flops, and/or may be comprised of programmable units, such as programmable gate arrays or processors. The modules or computing device functionality described herein are preferably implemented as software modules, but may be represented in hardware or firmware. Generally, the modules described herein refer to logical modules that may be combined with other modules or divided into sub-modules despite their physical organization or storage


Computer system 100 may implement the techniques described herein using customized hard-wired logic, one or more ASICs or FPGAs, firmware and/or program logic which in combination with the computer system causes or programs computer system 100 to be a special-purpose machine. According to one embodiment, the techniques herein are performed by computer system 100 in response to processor(s) 104 executing one or more sequences of one or more instructions contained in main memory 106. Such instructions may be read into main memory 106 from another storage medium, such as storage device 110. Execution of the sequences of instructions contained in main memory 106 causes processor(s) 104 to perform the process steps described herein. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions.


The term “non-transitory media,” and similar terms, as used herein refers to any media that store data and/or instructions that cause a machine to operate in a specific fashion. Such non-transitory media may comprise non-volatile media and/or volatile media. Non-volatile media includes, for example, optical or magnetic disks, such as storage device 110. Volatile media includes dynamic memory, such as main memory 106. Common forms of non-transitory media include, for example, a floppy disk, a flexible disk, hard disk, solid state drive, magnetic tape, or any other magnetic data storage medium, a CD-ROM, any other optical data storage medium, any physical medium with patterns of holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip or cartridge, and networked versions of the same.


Non-transitory media is distinct from but may be used in conjunction with transmission media. Transmission media participates in transferring information between non-transitory media. For example, transmission media includes coaxial cables, copper wire and fiber optics, including the wires that comprise bus 102. Transmission media can also take the form of acoustic or light waves, such as those generated during radio-wave and infra-red data communications.


Various forms of media may be involved in carrying one or more sequences of one or more instructions to processor 104 for execution. For example, the instructions may initially be carried on a magnetic disk or solid state drive of a remote computer. The remote computer can load the instructions into its dynamic memory and send the instructions over a telephone line using a modem. A modem local to computer system 100 can receive the data on the telephone line and use an infra-red transmitter to convert the data to an infra-red signal. An infra-red detector can receive the data carried in the infra-red signal and appropriate circuitry can place the data on bus 102. Bus 102 carries the data to main memory 106, from which processor 104 retrieves and executes the instructions. The instructions received by main memory 106 may retrieve and execute the instructions. The instructions received by main memory 106 may optionally be stored on storage device 110 either before or after execution by processor 104.


Computer system 100 also includes a communication interface 118 coupled to bus 102. Communication interface 118 provides a two-way data communication coupling to a network link 120 that is connected to a local network 122. For example, communication interface 118 may be an integrated services digital network (ISDN) card, cable modem, satellite modem, or a modem to provide a data communication connection to a corresponding type of telephone line. As another example, communication interface 118 may be a local area network (LAN) card to provide a data communication connection to a compatible LAN (or WAN component to communicate with a WAN). Wireless links may also be implemented. In any such implementation, communication interface 118 sends and receives electrical, electromagnetic or optical signals that carry digital data streams representing various types of information.


Network link 120 typically provides data communication through one or more networks to other data devices. For example, network link 120 may provide a connection through local network 122 to a host computer 124 or to data equipment operated by an Internet Service Provider (ISP) 126. ISP 126 in turn provides data communication services through the world wide packet data communication network now commonly referred to as the “Internet” 128. Local network 122 and Internet 128 both use electrical, electromagnetic or optical signals that carry digital data streams. The signals through the various networks and the signals on network link 120 and through communication interface 118, which carry the digital data to and from computer system 100, are example forms of transmission media.


Computer system 100 can send messages and receive data, including program code, through the network(s), network link 120 and communication interface 118. In the Internet example, a server 130 might transmit a requested code for an application program through Internet 128, ISP 126, local network 122 and communication interface 118.


The received code may be executed by processor 104 as it is received, and/or stored in storage device 110, or other non-volatile storage for later execution.



FIG. 2 is a block diagram of the computer system 100 for analyzing potentially undesirable electronic communications, as used in an embodiment. In variations, additional blocks may be included, some blocks may be removed, and/or blocks may be connected or arranged differently from what is shown.


Computer system 100 interfaces with local network 122, described above with reference to FIG. 1. Users 221 interact with the local network 122, for example, for email, text messaging, newsgroups, etc. In certain embodiments, users 221 can receive electronic communications via the local network 122. A recipient (one of the users 221) of an electronic communication can make a preliminary determination that the communication is a potential phishing, spam, or malicious communication and forward the communication to an administrator. For example, a company employee can forward a potential phishing, spam, or malicious email to a corporate “abuse” email account (e.g., abuse@example.org).


Computer system 100 may include computer readable storage devices. For example, computer system 100 may include electronic communications records storage device 207. The electronic communications records storage device 207 may be configured to store records of first electronic communications to internal recipients within a local network for a period of time. As an example, the electronic communications records storage device 207 can store records of emails sent to recipients within the local network 122 over the last week or the last month or the last six months. An example can be a PROOFPOINT (Proofpoint, Inc., Sunnyvale, Calif.) log. For each of the first electronic communications, a record can reflect the “from” field corresponding to a purported author of the first electronic communication, one or more “recipient” fields corresponding to the recipients of the respective first electronic communication (e.g., a “to” field, a “cc” field, and/or a “bcc” field), and/or the subject field corresponding to a purported topic of the respected first electronic communication. An electronic communications record need not be an email itself. This term is a broad term and encompasses subsets of data about electronic communications. For example, the term encompasses certain metadata regarding emails.


Computer system 100 may further include electronic communications storage device 203. The electronic communications storage device 203 may be configured to store a plurality of prescreened electronic communications. As an example, the electronic communications storage device 203 can store prescreened emails. In at least one embodiment, each prescreened electronic communication is preliminarily identified as a potential undesirable electronic communication.


As used herein, the term prescreened electronic communication refers to an electronic communication that has been reviewed and identified as potentially having a certain characteristic or characteristics. The review need not be detailed or performed by someone with special training. For example, the initial recipient of the electronic communication can perform the prescreening. In this regard, a prescreened electronic communication can refer to an email that has been reviewed by its human recipient and judged or identified as a potentially undesirable electronic communication. In other instances, as noted above, the prescreening can occur without human intervention, for example, with applied rules or a suitable program. A company employee can forward a potential phishing, spam, or malicious email to an abuse account. Fourth access module 227 and/or another suitable module interfacing with the local network 122 can execute a suitable script to download the emails in the abuse email account to a computer folder or subfolder or other database as text-formatted file, such as an .eml file. The computer folder, subfolder, or other database can represent an example of electronic communications storage device 203, discussed above. Each prescreened electronic communication in the electronic communications storage device 203 can include a from field, one or more recipient fields, a subject field, and/or a message body.


Computer system 100 may include one or more modules which may be implemented as software or hardware. For example, computer system 100 may include first access module 201. The first access module 201 may be configured to access, from the electronic communications storage device 203, the plurality of prescreened electronic communications. Computer system 100 may include second access module 205. The second access module 205 may be configured to access, from the electronic communications records storage device 207, the records.


Computer system 100 may include grouping module 211. Grouping module 211 of computer system 100 may be configured to group, from the plurality of prescreened electronic communication, a data cluster of the prescreened electronic communications. A data cluster may be generated, determined, and/or selected from one or more sets of electronic communications according to a cluster generation strategy. A data cluster may further be generated, determined, and/or selected based on a seed. For example, seeds may comprise emails received within a time or date range, such as the last 24 hours. Electronic communications related to the seeds may be determined and added to the cluster. Further, additional electronic communications related to any clustered electronic communication may also be added to the cluster iteratively as indicated by a cluster generation strategy. Electronic communications may be related by any common and/or similar properties, metadata, types, relationships, and/or the like. Data clusters may also be referred to herein as “clustered data structures,” “electronic communication clusters,” and “clusters.” Data clusters are described in further detail in U.S. patent application Ser. No. 14/579,752 and U.S. Pat. No. 8,788,405, which have been incorporated herein by reference in their entireties.


In at least one embodiment, the prescreened electronic communications of a data cluster share a similar from field and/or a similar subject field. For example, the grouping module 211 can identify an initial electronic communication and its from field and/or its subject field. The grouping module 211 may identify additional electronic communications with similar from fields and/or similar subject fields and add them to the cluster. In at least one embodiment, the grouping module 211 identifies electronic communications having the same from field. Alternatively, or in conjunction, the grouping module 211 can identify electronic communications having from fields with similar characteristics. For instance, the grouping module 211 can implement regular expression matching or another suitable pattern recognition algorithm to identify email addresses having the same local part (the part before the “@” symbol), even if the email addresses have different domain parts (the part after the “@” symbol). Or the grouping module 211 can identify email addresses having similar patterns, such as abc1def@example.com, bcd2efg@example.com, and cde3fgh@example.com. As yet another example, grouping module 211 can identify electronic communications having the same subject field. Alternatively, or in conjunction the grouping module 211 can identify electronic communications having subject fields with similar characteristics. For instance the grouping module 211 can identify email subjects following a pattern, such as “<Varying Bank Name>: Online Banking Security Precaution,” using a suitable technique such as regular expression matching.


Other suitable techniques for identifying additional electronic communications with similar from fields and/or similar subject fields and adding them to the cluster with the grouping module 211 are also contemplated. Yet another example of such grouping can include grouping based on similar edit distances. Edit distance is a technique of quantifying how dissimilar two strings (such as words) are to one another by counting the minimum number of operations required to transform one string into the other.


Optionally, computer system 100 may further include an identification module 213. The identification module 213 of computer system 100 may identify additional recipients associated with the data cluster. As noted above, a data cluster comprises prescreened electronic communications. The additional recipients need not be associated with prescreened electronic communications. For example, many recipients within a local network may receive similar emails and some of those recipients may report the emails as potential phishing communications to an administrator. Some recipients may not report the emails to anyone, however.


In this regard, the additional recipients can be identified in the records accessed by second access module 205 or in another electronic communications storage device (not shown). For example, identification module 213 can identify the subject field of the prescreened electronic communications or a substring within the subject field of the prescreened electronic communications, such as the first, middle, or last n characters. Then, the identification module 213 can access electronic communications records storage device 207 (optionally via second access module 205) and identify additional electronic communications having the same subject field or substring. Based on the subject fields of the identified additional electronic communications, the identification module 213 can determine additional recipients of those additional electronic communications corresponding with the associated to, cc, or bcc fields.


Computer system 100 may include an optional classification module 215. Classification module 215 of computer system 100 may be configured to classify, based on one or more attributes of the data cluster, the data cluster with a classification reflecting a priority for assessing whether the prescreened electronic communications associated with the data cluster are undesirable electronic communications. Advantageously, the classification module 215 is configured such that, once initiated, the classifying is performed by the one or more hardware computer processors, without the need for manually performing the classifying.


For instance, in one embodiment, classification module 215 can automatically determine a rank or status of a recipient of a prescreened electronic communication in a data cluster without requiring user intervention. As an example, classification module can identify an employee identification number associated with a recipient, cross reference the employee identification number against an organizational database for the local network, and determine the recipient's rank. The relevant information, such as the employee identification number and rank, can be stored to the data cluster dossier. A data cluster including a recipient with a sufficiently high rank or status, such as a C suite officer or critical employee, may be assigned classification reflecting a high priority for assessing whether the prescreened electronic communications associated with the data cluster are undesirable electronic communications.


Computer system 100 may also include a parsing module 217. As discussed above, each prescreened electronic communication can comprise a message body in some embodiments. Parsing module 217 of computer system 217 may be configured to parse, for one or more of the electronic communications in the data cluster, the respective message body for certain strings, such as uniform resource locators.


Computer system 100 may include a user interface module 219. The user interface module 219 can be configured to generate user interface data for rendering an interactive user interface on a computing device. The user interface module 219 can also be configured to update the user interface data. User interface module 219 may include one or more modules configured to generate user interfaces, such as web pages, desktop applications, mobile interfaces, voice interfaces, and the like. The user interface module 219 may invoke the above described modules in order to make calculations to be presented to individuals. The user interface module 219 may present data via network. The user interface module 219 may further receive input from individuals so that the input may be provided to the appropriate modules and/or stored.


Computer system can optionally interact with a proxy log 225 via the local network 122. In general, the proxy log 225 is produced by a local network proxy server and gives detailed information about the URLs accessed by specific users 221. In various embodiment discussed herein, fourth access module 227 and/or another suitable module interfacing with the local network 122 can execute a suitable script to search the proxy log for a particular URL or IP address and determine which users 221 (if any) have accessed the URL.


Computer system 100 is also configured to interface with DNSBL or RBL 128 or other blacklist. DNSBL stands for a DNS-based Blackhole List, and RBL stands for Real-time Blackhole List. These are “blacklists” of locations on the Internet reputed to send email spam or other undesirable electronic communications. In computing, a blacklist is a basic access control mechanism for allowing through elements, except those explicitly mentioned in the list. Those items on the list are denied access. Third access module 209 can be used to interface with third party vendor's DNSBL or RBL 128 or other blacklist via Internet 223. For example, as described in greater detail below, third access module 209 can be instructed to check an IP address against DNSBL or RBL 128 or other blacklist, such as dnsbl.example.net. The third access module 209 can take the IP access (such as 192.168.42.23) and reverse the order of the octets (23.42.168.192). The third access module 209 can then append the domain name of DNSBL or RBL 128 or other blacklist, yielding 23.42.168.192.dnsbl.example.net. Subsequently, the third access module 209 can look up this name in the DNS as a domain name. The query will either return an address, indicating that the IP address is blacklisted or a no-such-domain code (such as NXDOMAIN), indicating that the IP address is not blacklisted. If the IP address is listed, the third access module 209 optionally can look up why the IP address is listed as a text record, a function supported by most blacklist services.


II. Implementation Methods


FIG. 3 shows an example method for implementing computer system 100 of FIG. 2, namely, a process of analyzing potentially undesirable electronic communications. In box 301, computer system 100 accesses electronic communications. Box 301 of FIG. 3 can be implemented with first access module 201 and second access module 205 of FIG. 2. In an example embodiment, a script is executed to generate the initial seeds for generating collections of clusters of related data from the seeds, as described in U.S. Pat. No. 8,788,405, incorporated herein by reference. The seeds can be, for instance, a time or date range of emails to target. The script can update the seeds each run to have the time or date range be, for example, the last 24-hour window.


In box 303a, computer system 100 identifies electronic communications with similar from fields. In box 303b, computer system 100 identifies electronic communications with similar subject fields. As discussed with reference to FIG. 2, box 303a in box 303b can be implemented with identification module 213. It should be clear that computer system 100 does not necessarily have to implement both box 303a and box 303b in the method. They can be implemented in the alternative. In box 305, computer system 100 groups similar electronic communications in a data cluster. Box 305 can be implemented with grouping module 211. For example, a cluster strategy, as described in U.S. Pat. No. 8,788,405, can be executed. The cluster strategy can process new emails, that is, emails received within the last 24 hours. The cluster strategy loads any data cluster object that has been modified in the last day. In other embodiments, the cluster strategy can load any data cluster object previously marked as malicious, which may encompass emails received greater than 24 hours in the past. For each new email, the strategy checks whether that email is already part of a data cluster. The strategy can merge the email with an existing data cluster based on subject. Emails that are not part of a data cluster generate new data clusters that eventually can be linked to other emails with similar subjects, senders, etc. Linking emails can be based off an identification property number for the data cluster. A data cluster can include information such as the submitter(s), recipients, external senders, subjects, and any URLs for the associated potentially undesirable electronic communications, as well as the body of the relevant email(s). A dossier can be created for each data cluster. The dossier comprises additional information besides the information from the potentially undesirable electronic communications that is relevant during analyst triage.


In box 307, computer system 100 classifies the data cluster. Box 307 can be implemented with classification module 215. An example classification is a priority tier, reflecting a priority for assessing whether the potentially undesirable electronic communications associated with the data cluster are actually undesirable electronic communications. The classification can be performed without the need for manual user intervention.


A factor in the classification algorithm can include the number of potentially undesirable electronic communications that are in the data cluster. Certain embodiments include the inventive realization that multiple similar potentially undesirable electronic communications submitted to an abuse account are more likely to be undesirable electronic communications than single instance electronic communications submitted to the abuse account.


Another factor in the classification algorithm can include whether the data cluster comprises any URLs on a DNSBL and/or RBL or other blacklist. Certain embodiments include the inventive realization that a data cluster including a URL on a DNSBL and/or RBL or other blacklist is more likely to be associated with undesirable electronic communications than a data cluster that does not include URLs or any identified URLs are not on a DNSBL and/or RBL or other blacklist.


Another factor in the classification algorithm can include whether the data cluster is associated a recipient with a sufficiently high rank or status, such as a C suite officer or critical employee. For example, it is important to identify phishing attacks targeting high ranking individuals in a local network, as compromised information can affect the local network's integrity. The identified tiers can be classified as desired. For example, tier 0 may be defined to relate to the highest priority data clusters (those most likely to be phishing or malicious communication) while tier 3 relates to the lowest priority data clusters (those most likely to be spam communications).


In box 309, computer system 100 generates a user interface with at least one selectable element reflecting the classification. And in box 311, computer system 100 updates the user interface with information regarding the data cluster. Box 309 and box 311 can be implemented with user interface module 219. For example, an analyst can review a dossier associated with a data cluster in a tier 0 classification and determine if the associated data cluster is malicious, phishing, spam, or a legitimate communication. The analyst assigns the dossier a status. The status is transferred to the data cluster. The analyst can mark entire clusters as legitimate or not.



FIG. 4 shows another example method for implementing computer system 100 of FIG. 2, namely, a process of taking action based on potentially undesirable electronic communications. In box 401, computer system 100 displays a user interface with information regarding data cluster to user. In box 403, computer system 100 receives a disposition regarding the data cluster from a user. In box 405 computer system 100 transmits electronic notification based on the disposition. For example, a network administrator can execute a script to identify data clusters that were recently updated with a status. The script can identify all recipients associated in the dossier (including recipients who did not report the electronic communication to an abuse account) and send the recipients an email indicating the received electronic communication was a phishing, malicious, or other high-risk communication. In certain embodiments, when a new recipient reports an electronic communication as potentially undesirable and the cluster strategy merges the electronic communication with an existing data cluster already assigned a status, the script will send the new recipient a notification.



FIG. 5 shows another example method for implementing computer system 100 of FIG. 2, namely, a process of analyzing potentially undesirable electronic communications and taking action based thereon. In box 501, the computer system 100 accesses electronic communication records. In box 503, computer system 100 identifies additional recipients associated with the data cluster. For example, PROOFPOINT logs can be searched for emails with similar subjects. This search identifies additional recipients that received potentially undesirable electronic communications but did not report them to the abuse account discussed above. The additional recipients and/or relevant PROOFPOINT log entries can be added to the data cluster dossier. In box 505, computer system 100 updates the user interface with informational data reflecting the additional recipients. In box 507, computer system 100 transmits an electronic notification to additional recipients based on the disposition.



FIG. 6 shows yet another example method for implementing computer system 100 of FIG. 2, namely, a process of analyzing potentially undesirable electronic communications. In box 601, computer system 100 parses electronic communications in the data cluster for any URLs. In box 603, computer system 100 displays a user interface with information regarding the presence of any URLs. In box 611, computer system 100 accesses the proxy log. In box 613, computer system 100 determines whether the parsed URLs have been accessed by any users of the local network. In box 615 computer system 100 displays on the user interface information regarding the presence of any accessed URLs. For example, the local network proxy log can be searched for traffic to any URLs identified in the emails in the data cluster. This search identifies any members of the local network who visited a potentially malicious website by clicking on a URL in an email. These “clickers” can be added to the data cluster dossier.


In box 605, computer system 100 accesses one or more DNSBLs and/or RBLs or other blacklists. In box 607, computer system 100 determines whether the parsed URLs are on a DNSBL and/or RBL or other blacklist. In box 609, computer system 100 displays on the user interface information regarding the presence of blacklist URLs.



FIG. 7 shows a data cluster analysis user interface in which multiple data clusters are prioritized. The interactive user interface (generated with user interface module 219 of FIG. 2) can include an element selectable by a user. This example includes four selectable elements, labeled tier 0, tier 1, tier 2, and tier 3. Here, the selectable elements relate to classifications reflecting the priority for assessing whether the prescreened electronic communications associated with data clusters are undesirable electronic communications.


A user selects a selectable element with a suitable input device such as a mouse, finger, or stylus. FIG. 8 shows a data cluster analysis user interface showing potentially undesirable electronic communications for a high priority group of data clusters. Turning next to FIG. 8, the user has selected tier 0. The interactive user interface shown in FIG. 8 has been updated to show a list of data clusters associated with that tier. For example, the first item in the list shows a data cluster comprising one prescreened electronic communication with the subject field “ACTION REQUIRED BY Friday Apr. 17, 2015—FINAL REQUEST.” The second item in the list shows a data cluster comprising one prescreened electronic communication with the subject field “Employment Ref: QMK2015-2020-1XQM.” The third item in the list shows a data cluster comprising eight prescreened electronic communications with subject fields like “Review Secured Access.”



FIG. 8 also demonstrates certain aspects of the system's front-end filtering capabilities. The left-most column of FIG. 8 shows example metadata fields or filters that are filterable for each cluster. For example, a user can filter clusters based of a specific sender, rather than conducting tiled-tier filtering. A search bar in the upper-right corner of FIG. 8 allows for similar metadata search.


A user selects the third item in the list (the third data cluster) with a suitable input device. FIGS. 9-13 shows various aspects of a dossier analysis user interface showing informational data regarding a data cluster, here, the third data cluster. The interactive user interface shown in FIG. 9 has been updated to show informational data associated with the third data cluster. In this example, the interactive user interface displays a summary tab showing information such as who sent the prescreened electronic communications in the data cluster to the local network, who in the local network submitted it, which URLs were found in the prescreened electronic communications, which attachments were found in the prescreened electronic communications, and/or whether any of the URLs were found in a DNSBL and/or RBL or other blacklist. Here, the summary tab shows the prescreened electronic communications in the data cluster contain 61 total URLs and one attachment. Two of the URLs were found in a DNSBL and/or RBL or other blacklist, here the RISKIQ blacklist (RiskIQ, Inc., San Francisco, Calif.).


The user can select a messages tab with a suitable input device to have additional information data displayed on the user interface. The interactive user interface shown in FIG. 10 has been updated to show additional informational data associated with the third data cluster. In this example, the messages tab shows textual data, such as the message body, of prescreened electronic communications in the data cluster.


The user can select a clickers tab with a suitable input device to have additional information data displayed on the user interface. The interactive user interface shown in FIG. 11 has been updated to show additional informational data associated with the third data cluster. In this example, the clickers tab shows the result of searching the proxy log for the URLs associated with the data cluster to see who in the local network clicked on the links. The NAME field reflects the name of the user who accessed the URL. The NBID field reflects an identification number associated with the user. The BAND field reflects the user's rank or status within the local network, with a lower BAND number reflecting a higher ranking user. The NAME, NBID, and BAND can be stored in and retrieved from the data cluster dossier, as discussed.


The user can also select a recipients tab with a suitable input device to have additional information data displayed on the user interface. The interactive user interface shown in FIG. 12 has been updated to show additional informational data associated with the third data cluster. In this example, the recipients tab shows the result of searching electronic communications storage device 203 (such as a PROOFPOINT log) to identify recipients in the local network received electronic communications similar to the prescreened electronic communications, in addition to those recipients who reported the prescreened electronic communications to an administrator.


The user can also select a raw data option with a suitable input device to have additional information data displayed on the user interface. The interactive user interface shown in FIG. 13 has been updated to show additional informational data associated with the third data cluster. In this example, the raw data shows PROOFPOINT logs.


Turning next to FIGS. 14A and 14B, which show dossier analysis user interfaces showing informational data regarding a data cluster, once a data cluster is analyzed, an analyst gives the data cluster a status, such as “legitimate,” “spam,” “phishing,” or “malicious.” Depending on the status, recipients are notified, such as by email, informing the recipients not to enter their credentials or informing the recipients the prescreened electronic communications is legitimate and can be responded to. As noted above, in various embodiments, a recipient need not have reported a potentially undesirable electronic communication (e.g., to an abuse account) to receive the notification. It should also be understood that, in certain embodiments, a recipient can receive such a notification even if the potentially undesirable electronic communication received does not match all of the characteristics in the initial cluster in all respects. For example, a recipient may receive a notification if the recipient received an email from the same sender, with a slightly different subject but including the same phishing link, or variation on that phishing link and/or similar language.


All recipients associated with a data cluster can be identified (such as using PROOFPOINT logs) and stored in the data cluster dossier. The dossier can be cross-referenced for the notification. In yet another example, a seed email might lead to one hundred nearly identical emails being identified, but based on the characteristics of those emails, it may be discovered that there are other shared attributes among those that end up expanding the volume of potential spam that is captured. For example, email 1 is from sender A, with subject line B and link C. That link might show up in emails from a different sender D who does not use the same subject B. Nevertheless, the system would still recognize the emails are relevant because of the link. Then, the system can analyze emails with subject B and recognize that sender A is also using a third link and then cross reference and discover other senders using that different link.


III. Terminology

Each of the processes, methods, and algorithms described in the preceding sections may be embodied in, and fully or partially automated by, code modules executed by one or more computer systems or computer processors comprising computer hardware. The processes and algorithms may be implemented partially or wholly in application-specific circuitry.


The various features and processes described above may be used independently of one another, or may be combined in various ways. All possible combinations and subcombinations are intended to fall within the scope of this disclosure. In addition, certain method or process blocks may be omitted in some implementations. The methods and processes described herein are also not limited to any particular sequence, and the blocks or states relating thereto can be performed in other sequences that are appropriate. For example, described blocks or states may be performed in an order other than that specifically disclosed, or multiple blocks or states may be combined in a single block or state. The example blocks or states may be performed in serial, in parallel, or in some other manner. Blocks or states may be added to or removed from the disclosed example embodiments. The example systems and components described herein may be configured differently than described. For example, elements may be added to, removed from, or rearranged compared to the disclosed example embodiments. In addition, the inventions illustratively disclosed herein suitably may be practiced in the absence of any element which is not specifically disclosed herein.


Conditional language, such as, among others, “can,” “could,” “might,” or “may,” unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or steps. Thus, such conditional language is not generally intended to imply that features, elements and/or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without user input or prompting, whether these features, elements and/or steps are included or are to be performed in any particular embodiment.


Any process descriptions, elements, or blocks in the flow diagrams described herein and/or depicted in the attached figures should be understood as potentially representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process. Alternate implementations are included within the scope of the embodiments described herein in which elements or functions may be deleted, executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those skilled in the art.


It should be emphasized that many variations and modifications may be made to the above-described embodiments, the elements of which are to be understood as being among other acceptable examples. All such modifications and variations are intended to be included herein within the scope of this disclosure. The foregoing description details certain embodiments of the invention. It will be appreciated, however, that no matter how detailed the foregoing appears in text, the invention can be practiced in many ways. As is also stated above, it should be noted that the use of particular terminology when describing certain features or aspects of the invention should not be taken to imply that the terminology is being re-defined herein to be restricted to including any specific characteristics of the features or aspects of the invention with which that terminology is associated. The scope of the invention should therefore be construed in accordance with the appended claims and any equivalents thereof.

Claims
  • 1. A system comprising: one or more computer readable storage mediums having program instructions embodied thereon; andone or more hardware processors configured to execute the program instructions to cause the system to: transmit data for displaying a dynamic user interface indicating a plurality of priority tiers of different priorities for assessing if emails are undesirable;in response to receiving a selection of a first priority tier of the plurality of priority tiers, update the dynamic user interface to indicate a plurality of clusters of emails associated with the first priority tier including at least a first cluster of emails, wherein a first plurality of emails are included in the first cluster of emails based at least in part on having a first feature in common;in response to receiving a selection of at least the first cluster of emails of the plurality of clusters of email, update the dynamic user interface to display: the first plurality of emails that are included in the first cluster of emails; anda second email included in the first cluster of emails, wherein the second email does not include the first feature that is common to the first plurality of emails, and wherein the second email shares a second feature in common with at least one email from the first plurality of emails;in response to receiving one or more user interactions with the dynamic user interface, update the dynamic user interface to display: a plurality of uniform resource locators (URLs), wherein each URL in the plurality of URLs is embedded in one or more of the emails of the first cluster of emails included in the first priority tier;information about a plurality of users, wherein each user of the plurality of users accessed one or more of the plurality of URLs embedded in one or more emails of the first cluster of emails included in the first priority tier;transmit data for displaying, in the dynamic user interface, a menu of labels selectable to associate a status or maliciousness with a cluster; andin response to receiving a selection of a first label from the menu of labels, associate the first label with the first cluster of emails including the first plurality of emails and the second email.
  • 2. The system of claim 1, wherein the first cluster is categorized into the first priority tier based at least in part on at least one of: organizational roles of recipients of emails included in the first cluster, a number of emails included in the first cluster, an access to a first URL included in any email included in the first cluster, or a match of a second URL included in any email included in the first cluster with a blackhole listed URL.
  • 3. The system of claim 1, the first feature common to the first plurality of emails comprising at least one of: a field corresponding to a purported author;one or more recipient fields corresponding to recipients;a subject field corresponding to a purported topic; anda URL.
  • 4. The system of claim 1, one or more processors configured to execute the program instructions to cause the system to: transmit data for displaying a plurality of filters including at least two of: a sender, a severity, a source, a subject, and a URL;receive a selection of a selected filter from among plurality of filters; andupdate the dynamic user interface based at least in part on the selected filter.
  • 5. A method for analyzing suspicious emails comprising: displaying, on a display device, a dynamic user interface indicating a plurality of priority tiers indicating different priorities for analyzing suspicious emails;receiving a selection of a first priority tier from among the plurality of priority tiers;in response to receiving the selection of the first priority tier, updating the dynamic user interface to indicate a plurality of clusters of emails associated with the first priority tier including at least a first cluster of emails, wherein a first plurality of emails are included in the first cluster based at least in part on having a first feature in common;receiving a selection of at least the first cluster of emails from among the plurality of clusters of emails;in response to receiving the selection of at least the first cluster of emails, causing the dynamic user interface to display: the first plurality of emails that are included in the first cluster of emails; anda second email included in the first cluster of emails, wherein the second email does not include the first feature that is common to the first plurality of emails, and wherein the second email shares a different feature in common with at least one email from the first plurality of emails;in response to receiving one or more user interactions with the dynamic user interface, updating the dynamic user interface to display: a plurality of uniform resource locators (URLs), wherein each URL in the plurality of URLs is embedded in one or more of the emails of the first cluster of emails included in the first priority tier; andinformation about a plurality of users, wherein each user of the plurality of users accessed one or more of the URLs embedded in one or more emails of the first cluster of emails included in the first priority tier;displaying, in the dynamic user interface, a menu including a plurality of labels selectable to associate a status or maliciousness with a cluster;receiving a selection of a first label from the plurality of labels; andin response to receiving the selection of the first label, classifying the first cluster of emails including the first plurality of emails and the second email with the first label.
  • 6. The method of claim 5, wherein the first cluster of emails is associated with the first priority tier based on at least in part on at least one of: an organizational roles of a recipient of an email included in the first cluster of emails, a number of emails included in the first cluster of emails, an access to a URL included in an email included in the first cluster of emails, or a match of a URL included in an email in the first cluster of emails with a blackhole listed URL.
  • 7. The method of claim 5, the first feature common to a plurality of emails comprising at least one of: a field corresponding to a purported author;one or more recipient fields corresponding to recipients;a subject field corresponding to a purported topic; anda URL.
  • 8. The method of claim 5, further comprising: displaying a plurality of filters including at least two of: a sender, a severity, a source, a subject, and a URL;receiving a selection of a selected filter from among plurality of filters; andupdating the dynamic user interface based at least in part on the selected filter.
  • 9. A system comprising: one or more computer readable storage mediums having program instructions embodied thereon; andone or more hardware processors configured to execute the program instructions to cause the system to: receive submissions of suspicious electronic communications;categorize the suspicious electronic communications into clusters, wherein a first cluster of the clusters includes: a first plurality of electronic communications categorized into the first cluster based at least in part on having a first feature in common; anda second electronic communication that does not include the first feature and does share a second feature in common with at least one electronic communication of the first plurality of electronic communications;categorize the clusters into priority tiers indicating different priorities for assessing if electronic communications are undesirable, wherein the first cluster is categorized into a first priority tier;in response to receiving a selection of a first priority tier, provide first data including an indication of a first plurality of clusters associated with the first priority tier;in response to receiving a selection of at least the first cluster, provide second data for displaying indications of the first plurality of electronic communications and the second electronic communication;in response to receiving one or more user interactions to display details about the first cluster, provide third data for displaying: a plurality of uniform resource locators (URLs), wherein each URL in the plurality of URLs is embedded in one or more of the electronic communications of the first cluster included in the first priority tier; andinformation about a plurality of users, wherein each user of the plurality of users accessed one or more of the URLs embedded in one or more electronic communications of the first cluster included in the first priority tier;receive a disposition indicating a type of undesirable electronic communication, the disposition selected from a menu of labels; andapply the disposition to the first cluster including the first plurality of electronic communications and the second electronic communication.
  • 10. The system of claim 9, wherein the first cluster is categorized into the first priority tier based at least in part on at least one of: organizational roles of recipients of electronic communications included in the first cluster, a number of electronic communications included in the first cluster, an access to a URL included in any electronic communication included in the first cluster, or a match of a URL included in any electronic communication included in the first cluster with a blackhole listed URL.
  • 11. The system of claim 9, one or more processors configured to execute the program instructions to cause the system to: filter the first data based on at least one of: a sender, a severity, a source, a subject, and a URL.
INCORPORATION BY REFERENCE

This application is a continuation of and claims priority to U.S. patent application Ser. No. 15/253,717, filed on Aug. 31, 2016, which claims the benefit of U.S. patent application Ser. No. 15/072,174, filed Mar. 16, 2016, which claims the benefit of U.S. Provisional Patent Application No. 62/202,104, filed Aug. 6, 2015, all of which are incorporated by reference in their entireties. The disclosure below also references various features of U.S. patent application Ser. No. 14/579,752, filed Dec. 22, 2014, and U.S. Pat. No. 8,788,405 B1, issued Jul. 22, 2014. The entire disclosures of those applications are hereby made part of this specification as if set forth fully herein and incorporated by reference for all purposes, for all that they contain.

US Referenced Citations (792)
Number Name Date Kind
5109399 Thompson Apr 1992 A
5329108 Lamoure Jul 1994 A
5632009 Rao et al. May 1997 A
5670987 Doi et al. Sep 1997 A
5781704 Rossmo Jul 1998 A
5798769 Chiu et al. Aug 1998 A
5845300 Comer Dec 1998 A
5978475 Schneier et al. Nov 1999 A
6057757 Arrowsmith et al. May 2000 A
6091956 Hollenberg Jul 2000 A
6161098 Wallman Dec 2000 A
6219053 Tachibana et al. Apr 2001 B1
6232971 Haynes May 2001 B1
6247019 Davies Jun 2001 B1
6253203 O'Flaherty et al. Jun 2001 B1
6279018 Kudrolli et al. Aug 2001 B1
6341310 Leshem et al. Jan 2002 B1
6366933 Ball et al. Apr 2002 B1
6369835 Lin Apr 2002 B1
6374251 Fayyad et al. Apr 2002 B1
6456997 Shukla Sep 2002 B1
6549944 Weinberg et al. Apr 2003 B1
6560620 Ching May 2003 B1
6567936 Yang et al. May 2003 B1
6581068 Bensoussan et al. Jun 2003 B1
6594672 Lampson et al. Jul 2003 B1
6631496 Li et al. Oct 2003 B1
6642945 Sharpe Nov 2003 B1
6674434 Chojnacki et al. Jan 2004 B1
6714936 Nevin, III Mar 2004 B1
6725240 Asad et al. Apr 2004 B1
6775675 Nwabueze et al. Aug 2004 B1
6778982 Knight Aug 2004 B1
6807569 Bhimani et al. Oct 2004 B1
6820135 Dingman Nov 2004 B1
6828920 Owen et al. Dec 2004 B2
6839745 Dingari et al. Jan 2005 B1
6877137 Rivette et al. Apr 2005 B1
6968511 Robertson Nov 2005 B1
6976210 Silva et al. Dec 2005 B1
6978419 Kantrowitz Dec 2005 B1
6980984 Huffman et al. Dec 2005 B1
6985950 Hanson et al. Jan 2006 B1
7017046 Doyle et al. Mar 2006 B2
7036085 Barros Apr 2006 B2
7043702 Chi et al. May 2006 B2
7055110 Kupka et al. May 2006 B2
7069586 Winneg et al. Jun 2006 B1
7139800 Bellotti et al. Nov 2006 B2
7158878 Rasmussen et al. Jan 2007 B2
7162475 Ackerman Jan 2007 B2
7168039 Bertram Jan 2007 B2
7171427 Witowski et al. Jan 2007 B2
7225468 Waisman et al. May 2007 B2
7269786 Malloy et al. Sep 2007 B1
7278105 Kitts Oct 2007 B1
7290698 Poslinski et al. Nov 2007 B2
7333998 Heckerman et al. Feb 2008 B2
7370047 Gorman May 2008 B2
7373669 Eisen May 2008 B2
7379811 Rasmussen et al. May 2008 B2
7379903 Caballero et al. May 2008 B2
7426654 Adams et al. Sep 2008 B2
7451397 Weber et al. Nov 2008 B2
7454466 Bellotti et al. Nov 2008 B2
7467375 Tondreau et al. Dec 2008 B2
7487139 Fraleigh et al. Feb 2009 B2
7502786 Liu et al. Mar 2009 B2
7525422 Bishop et al. Apr 2009 B2
7529727 Arning et al. May 2009 B2
7529734 Dirisala May 2009 B2
7546245 Surpin et al. Jun 2009 B2
7558677 Jones Jul 2009 B2
7574409 Patinkin Aug 2009 B2
7574428 Leiserowitz et al. Aug 2009 B2
7579965 Bucholz Aug 2009 B2
7593995 He et al. Sep 2009 B1
7596285 Brown et al. Sep 2009 B2
7614006 Molander Nov 2009 B2
7617232 Gabbert et al. Nov 2009 B2
7620628 Kapur et al. Nov 2009 B2
7627812 Chamberlain et al. Dec 2009 B2
7634717 Chamberlain et al. Dec 2009 B2
7640173 Surpin et al. Dec 2009 B2
7703021 Flam Apr 2010 B1
7706817 Bamrah et al. Apr 2010 B2
7712049 Williams et al. May 2010 B2
7716067 Surpin et al. May 2010 B2
7716077 Mikurak May 2010 B1
7725530 Sah et al. May 2010 B2
7725547 Albertson et al. May 2010 B2
7730082 Sah et al. Jun 2010 B2
7730109 Rohrs et al. Jun 2010 B2
7752665 Robertson et al. Jul 2010 B1
7770032 Nesta et al. Aug 2010 B2
7770100 Chamberlain et al. Aug 2010 B2
7783658 Bayliss Aug 2010 B1
7801871 Gosnell Sep 2010 B2
7805457 Viola et al. Sep 2010 B1
7809703 Balabhadrapatruni et al. Oct 2010 B2
7814102 Miller et al. Oct 2010 B2
7818658 Chen Oct 2010 B2
7870493 Pall et al. Jan 2011 B2
7894984 Rasmussen et al. Feb 2011 B2
7899611 Downs et al. Mar 2011 B2
7917376 Bellin et al. Mar 2011 B2
7920963 Jouline et al. Apr 2011 B2
7933862 Chamberlain et al. Apr 2011 B2
7941321 Greenstein et al. May 2011 B2
7962281 Rasmussen et al. Jun 2011 B2
7962495 Jain et al. Jun 2011 B2
7962848 Bertram Jun 2011 B2
7970240 Chao et al. Jun 2011 B1
7971150 Raskutti et al. Jun 2011 B2
7984374 Caro et al. Jun 2011 B2
8001465 Kudrolli et al. Aug 2011 B2
8001482 Bhattiprolu et al. Aug 2011 B2
8010545 Stefik et al. Aug 2011 B2
8010886 Gusmorino et al. Aug 2011 B2
8015487 Roy et al. Sep 2011 B2
8019709 Norton et al. Sep 2011 B2
8024778 Cash et al. Sep 2011 B2
8036632 Cona et al. Oct 2011 B1
8036971 Aymeloglu et al. Oct 2011 B2
8046283 Burns Oct 2011 B2
8046362 Bayliss Oct 2011 B2
8054756 Chand et al. Nov 2011 B2
8082172 Chao et al. Dec 2011 B2
8103543 Zwicky Jan 2012 B1
8134457 Velipasalar et al. Mar 2012 B2
8135679 Bayliss Mar 2012 B2
8135719 Bayliss Mar 2012 B2
8145703 Frishert et al. Mar 2012 B2
8181253 Zaitsev et al. May 2012 B1
8185819 Sah et al. May 2012 B2
8190893 Benson et al. May 2012 B2
8196184 Amirov et al. Jun 2012 B2
8214361 Sandler et al. Jul 2012 B1
8214490 Vos et al. Jul 2012 B1
8214764 Gemmell et al. Jul 2012 B2
8225201 Michael Jul 2012 B2
8229902 Vishniac et al. Jul 2012 B2
8229947 Fujinaga Jul 2012 B2
8230333 Decherd et al. Jul 2012 B2
8239668 Chen et al. Aug 2012 B1
8266168 Bayliss Sep 2012 B2
8271461 Pike et al. Sep 2012 B2
8271598 Guy et al. Sep 2012 B2
8280880 Aymeloglu et al. Oct 2012 B1
8290926 Ozzie et al. Oct 2012 B2
8290942 Jones et al. Oct 2012 B2
8301464 Cave et al. Oct 2012 B1
8301904 Gryaznov Oct 2012 B1
8302855 Ma et al. Nov 2012 B2
8312367 Foster Nov 2012 B2
8312546 Alme Nov 2012 B2
8321943 Walters et al. Nov 2012 B1
8347398 Weber Jan 2013 B1
8352881 Champion et al. Jan 2013 B2
8368695 Howell et al. Feb 2013 B2
8397171 Klassen et al. Mar 2013 B2
8411046 Kruzeniski et al. Apr 2013 B2
8412707 Mianji Apr 2013 B1
8447674 Choudhuri et al. May 2013 B2
8447722 Ahuja et al. May 2013 B1
8452790 Mianji May 2013 B1
8463036 Ramesh et al. Jun 2013 B1
8473454 Evanitsky et al. Jun 2013 B2
8484115 Aymeloglu et al. Jul 2013 B2
8484168 Bayliss Jul 2013 B2
8489331 Kopf et al. Jul 2013 B2
8489641 Seefeld et al. Jul 2013 B1
8495077 Bayliss Jul 2013 B2
8498969 Bayliss Jul 2013 B2
8498984 Hwang et al. Jul 2013 B1
8510743 Hackborn et al. Aug 2013 B2
8514082 Cova et al. Aug 2013 B2
8515207 Chau Aug 2013 B2
8554579 Tribble et al. Oct 2013 B2
8554653 Falkenborg et al. Oct 2013 B2
8554709 Goodson et al. Oct 2013 B2
8560413 Quarterman Oct 2013 B1
8577911 Stepinski et al. Nov 2013 B1
8589273 Creeden et al. Nov 2013 B2
8595234 Siripuapu et al. Nov 2013 B2
8600872 Yan Dec 2013 B1
8620641 Farnsworth et al. Dec 2013 B2
8639757 Zang et al. Jan 2014 B1
8646080 Williamson et al. Feb 2014 B2
8676597 Buehler et al. Mar 2014 B2
8676857 Adams et al. Mar 2014 B1
8682812 Ranjan Mar 2014 B1
8683322 Cooper Mar 2014 B1
8689108 Duffield et al. Apr 2014 B1
8700547 Long et al. Apr 2014 B2
8707185 Robinson et al. Apr 2014 B2
8713018 Knight et al. Apr 2014 B2
8713467 Goldenberg et al. Apr 2014 B1
8726379 Stiansen et al. May 2014 B1
8739278 Varghese May 2014 B2
8742934 Sarpy et al. Jun 2014 B1
8744890 Bernier Jun 2014 B1
8745516 Mason et al. Jun 2014 B2
8756244 Dassa et al. Jun 2014 B2
8769412 Gill et al. Jul 2014 B2
8781169 Jackson et al. Jul 2014 B2
8782794 Ramcharran Jul 2014 B2
8787939 Papakipos et al. Jul 2014 B2
8788405 Sprague et al. Jul 2014 B1
8788407 Singh et al. Jul 2014 B1
8799190 Stokes et al. Aug 2014 B2
8799799 Cervelli et al. Aug 2014 B1
8799812 Parker Aug 2014 B2
8812960 Sun et al. Aug 2014 B1
8813050 Watters et al. Aug 2014 B2
8818892 Sprague et al. Aug 2014 B1
8830322 Nerayoff et al. Sep 2014 B2
8832594 Thompson et al. Sep 2014 B1
8832832 Visbal Sep 2014 B1
8839434 McDougal et al. Sep 2014 B2
8868486 Tamayo Oct 2014 B2
8868537 Colgrove et al. Oct 2014 B1
8917274 Ma et al. Dec 2014 B2
8924388 Elliot et al. Dec 2014 B2
8924389 Elliot et al. Dec 2014 B2
8924872 Bogomolov et al. Dec 2014 B1
8937619 Sharma et al. Jan 2015 B2
8938686 Erenrich et al. Jan 2015 B1
8949283 Cornwell Feb 2015 B1
9009171 Grossman et al. Apr 2015 B1
9009827 Albertson et al. Apr 2015 B1
9021260 Falk et al. Apr 2015 B1
9021384 Beard et al. Apr 2015 B1
9043696 Meiklejohn et al. May 2015 B1
9043894 Dennison et al. May 2015 B1
9047441 Xie et al. Jun 2015 B2
9049117 Nucci et al. Jun 2015 B1
9100428 Visbal Aug 2015 B1
9116975 Shankar et al. Aug 2015 B2
9135658 Sprague et al. Sep 2015 B2
9165299 Stowe et al. Oct 2015 B1
9171334 Visbal et al. Oct 2015 B1
9177014 Gross Nov 2015 B2
9177344 Singh et al. Nov 2015 B1
9202249 Cohen et al. Dec 2015 B1
9215240 Merza et al. Dec 2015 B2
9230280 Maag et al. Jan 2016 B1
9235638 Gattiker et al. Jan 2016 B2
9256664 Chakerian et al. Feb 2016 B2
9335897 Goldenberg May 2016 B2
9338013 Castellucci et al. May 2016 B2
9344447 Cohen et al. May 2016 B2
9367872 Visbal et al. Jun 2016 B1
9456000 Spiro et al. Sep 2016 B1
9558352 Dennison et al. Jan 2017 B1
9560066 Visbal Jan 2017 B2
9635046 Spiro et al. Apr 2017 B2
10135863 Dennison et al. Nov 2018 B2
10230746 Visbal Mar 2019 B2
20010021936 Bertram Sep 2001 A1
20020033848 Sciammarella et al. Mar 2002 A1
20020065708 Senay et al. May 2002 A1
20020091707 Keller Jul 2002 A1
20020095360 Joao Jul 2002 A1
20020095658 Shulman Jul 2002 A1
20020103705 Brady Aug 2002 A1
20020112157 Doyle et al. Aug 2002 A1
20020116120 Ruiz et al. Aug 2002 A1
20020130907 Chi et al. Sep 2002 A1
20020147805 Leshem et al. Oct 2002 A1
20020174201 Ramer et al. Nov 2002 A1
20020194119 Wright et al. Dec 2002 A1
20030028560 Kudrolli et al. Feb 2003 A1
20030033228 Bosworth-Davies et al. Feb 2003 A1
20030039948 Donahue Feb 2003 A1
20030074368 Schuetze et al. Apr 2003 A1
20030097330 Hillmer et al. May 2003 A1
20030140106 Raguseo Jul 2003 A1
20030144868 MacIntyre et al. Jul 2003 A1
20030154044 Lundstedt et al. Aug 2003 A1
20030163352 Surpin et al. Aug 2003 A1
20030200217 Ackerman Oct 2003 A1
20030225755 Iwayama et al. Dec 2003 A1
20030229848 Arend et al. Dec 2003 A1
20040032432 Baynger Feb 2004 A1
20040034570 Davis Feb 2004 A1
20040044912 Connary et al. Mar 2004 A1
20040064256 Barinek et al. Apr 2004 A1
20040085318 Hassler et al. May 2004 A1
20040095349 Bito et al. May 2004 A1
20040111410 Burgoon et al. Jun 2004 A1
20040123139 Aiello et al. Jun 2004 A1
20040126840 Cheng et al. Jul 2004 A1
20040143602 Ruiz et al. Jul 2004 A1
20040143796 Lerner et al. Jul 2004 A1
20040153418 Hanweck Aug 2004 A1
20040163039 McPherson et al. Aug 2004 A1
20040181554 Heckerman et al. Sep 2004 A1
20040193600 Kaasten et al. Sep 2004 A1
20040205524 Richter et al. Oct 2004 A1
20040221223 Yu et al. Nov 2004 A1
20040250124 Chesla et al. Dec 2004 A1
20040260702 Cragun et al. Dec 2004 A1
20040267746 Marcjan et al. Dec 2004 A1
20050010472 Quatse et al. Jan 2005 A1
20050027705 Sadri et al. Feb 2005 A1
20050028094 Allyn Feb 2005 A1
20050039119 Parks et al. Feb 2005 A1
20050065811 Chu et al. Mar 2005 A1
20050080769 Gemmell Apr 2005 A1
20050086207 Heuer et al. Apr 2005 A1
20050108063 Madill et al. May 2005 A1
20050125715 Franco et al. Jun 2005 A1
20050157662 Bingham et al. Jul 2005 A1
20050162523 Darrell et al. Jul 2005 A1
20050166144 Gross Jul 2005 A1
20050180330 Shapiro Aug 2005 A1
20050182793 Keenan et al. Aug 2005 A1
20050183005 Denoue et al. Aug 2005 A1
20050204001 Stein et al. Sep 2005 A1
20050210409 Jou Sep 2005 A1
20050222928 Steier et al. Oct 2005 A1
20050229256 Banzhof Oct 2005 A2
20050234850 Buchheit Oct 2005 A1
20050246327 Yeung et al. Nov 2005 A1
20050251786 Citron et al. Nov 2005 A1
20050262556 Waisman et al. Nov 2005 A1
20050275638 Kolmykov-Zotov et al. Dec 2005 A1
20060026120 Carolan et al. Feb 2006 A1
20060026170 Kreitler et al. Feb 2006 A1
20060026688 Shah Feb 2006 A1
20060031928 Conley et al. Feb 2006 A1
20060045470 Poslinski et al. Mar 2006 A1
20060059139 Robinson Mar 2006 A1
20060059238 Slater et al. Mar 2006 A1
20060069912 Zheng et al. Mar 2006 A1
20060074866 Chamberlain et al. Apr 2006 A1
20060074881 Vembu et al. Apr 2006 A1
20060080619 Carlson et al. Apr 2006 A1
20060093222 Saffer et al. May 2006 A1
20060095521 Patinkin May 2006 A1
20060129746 Porter Jun 2006 A1
20060139375 Rasmussen et al. Jun 2006 A1
20060142949 Helt Jun 2006 A1
20060143034 Rothermel Jun 2006 A1
20060143075 Carr et al. Jun 2006 A1
20060143079 Basak et al. Jun 2006 A1
20060149596 Surpin et al. Jul 2006 A1
20060179003 Steele et al. Aug 2006 A1
20060203337 White Sep 2006 A1
20060212931 Shull et al. Sep 2006 A1
20060218637 Thomas et al. Sep 2006 A1
20060241974 Chao et al. Oct 2006 A1
20060242040 Rader Oct 2006 A1
20060242630 Koike et al. Oct 2006 A1
20060265747 Judge Nov 2006 A1
20060271277 Hu et al. Nov 2006 A1
20060279630 Aggarwal et al. Dec 2006 A1
20070000999 Kubo et al. Jan 2007 A1
20070011150 Frank Jan 2007 A1
20070011304 Error Jan 2007 A1
20070016363 Huang et al. Jan 2007 A1
20070038646 Thota Feb 2007 A1
20070038962 Fuchs et al. Feb 2007 A1
20070057966 Ohno et al. Mar 2007 A1
20070078832 Ott et al. Apr 2007 A1
20070083541 Fraleigh et al. Apr 2007 A1
20070094389 Nussey et al. Apr 2007 A1
20070094500 Shannon et al. Apr 2007 A1
20070106582 Baker et al. May 2007 A1
20070143851 Nicodemus Jun 2007 A1
20070150369 Zivin Jun 2007 A1
20070174760 Chamberlain et al. Jul 2007 A1
20070192265 Chopin et al. Aug 2007 A1
20070198571 Ferguson et al. Aug 2007 A1
20070208497 Downs et al. Sep 2007 A1
20070208498 Barker et al. Sep 2007 A1
20070208736 Tanigawa et al. Sep 2007 A1
20070233709 Abnous Oct 2007 A1
20070240062 Christena et al. Oct 2007 A1
20070266336 Nojima et al. Nov 2007 A1
20070284433 Domenica et al. Dec 2007 A1
20070294200 Au Dec 2007 A1
20070294643 Kyle Dec 2007 A1
20070294766 Mir et al. Dec 2007 A1
20080016216 Worley et al. Jan 2008 A1
20080040684 Crump Feb 2008 A1
20080051989 Welsh Feb 2008 A1
20080052142 Bailey et al. Feb 2008 A1
20080069081 Chand et al. Mar 2008 A1
20080077597 Butler Mar 2008 A1
20080077642 Carbone et al. Mar 2008 A1
20080082486 Lermant et al. Apr 2008 A1
20080104019 Nath May 2008 A1
20080104407 Horne et al. May 2008 A1
20080126951 Sood et al. May 2008 A1
20080133567 Ames et al. Jun 2008 A1
20080148398 Mezack et al. Jun 2008 A1
20080155440 Trevor et al. Jun 2008 A1
20080162616 Gross et al. Jul 2008 A1
20080175266 Alperovitch et al. Jul 2008 A1
20080195417 Surpin et al. Aug 2008 A1
20080195608 Clover Aug 2008 A1
20080201580 Savitzky et al. Aug 2008 A1
20080222295 Robinson et al. Sep 2008 A1
20080222706 Renaud et al. Sep 2008 A1
20080229422 Hudis et al. Sep 2008 A1
20080244742 Neystadt et al. Oct 2008 A1
20080255973 El Wade et al. Oct 2008 A1
20080263468 Cappione et al. Oct 2008 A1
20080267107 Rosenberg Oct 2008 A1
20080276167 Michael Nov 2008 A1
20080278311 Grange et al. Nov 2008 A1
20080288306 MacIntyre et al. Nov 2008 A1
20080288425 Posse et al. Nov 2008 A1
20080301643 Appleton et al. Dec 2008 A1
20080313132 Hao et al. Dec 2008 A1
20090002492 Velipasalar et al. Jan 2009 A1
20090018940 Wang et al. Jan 2009 A1
20090024505 Patel et al. Jan 2009 A1
20090027418 Maru et al. Jan 2009 A1
20090030915 Winter et al. Jan 2009 A1
20090044279 Crawford et al. Feb 2009 A1
20090055251 Shah et al. Feb 2009 A1
20090076845 Bellin et al. Mar 2009 A1
20090082997 Tokman et al. Mar 2009 A1
20090083184 Eisen Mar 2009 A1
20090088964 Schaaf et al. Apr 2009 A1
20090094166 Aymeloglu et al. Apr 2009 A1
20090103442 Douville Apr 2009 A1
20090106178 Chu Apr 2009 A1
20090112745 Stefanescu Apr 2009 A1
20090119309 Gibson et al. May 2009 A1
20090125359 Knapic May 2009 A1
20090125369 Kloosstra et al. May 2009 A1
20090125459 Norton et al. May 2009 A1
20090132921 Hwangbo et al. May 2009 A1
20090132953 Reed et al. May 2009 A1
20090143052 Bates et al. Jun 2009 A1
20090144262 White et al. Jun 2009 A1
20090144274 Fraleigh et al. Jun 2009 A1
20090164934 Bhattiprolu et al. Jun 2009 A1
20090171939 Athsani et al. Jul 2009 A1
20090172511 Decherd et al. Jul 2009 A1
20090172821 Daira et al. Jul 2009 A1
20090177962 Gusmorino et al. Jul 2009 A1
20090179892 Tsuda et al. Jul 2009 A1
20090187464 Bai et al. Jul 2009 A1
20090187546 Whyte et al. Jul 2009 A1
20090187548 Ji et al. Jul 2009 A1
20090192957 Subramanian et al. Jul 2009 A1
20090222400 Kupershmidt et al. Sep 2009 A1
20090222759 Drieschner Sep 2009 A1
20090222760 Halverson et al. Sep 2009 A1
20090228701 Lin Sep 2009 A1
20090234720 George et al. Sep 2009 A1
20090249244 Robinson et al. Oct 2009 A1
20090254970 Agarwal et al. Oct 2009 A1
20090254971 Herz Oct 2009 A1
20090271343 Vaiciulis et al. Oct 2009 A1
20090271359 Bayliss Oct 2009 A1
20090281839 Lynn et al. Nov 2009 A1
20090287470 Farnsworth et al. Nov 2009 A1
20090292626 Oxford Nov 2009 A1
20090300589 Watters et al. Dec 2009 A1
20090313463 Pang et al. Dec 2009 A1
20090318775 Michelson et al. Dec 2009 A1
20090319418 Herz Dec 2009 A1
20090328222 Helman et al. Dec 2009 A1
20100011282 Dollard et al. Jan 2010 A1
20100042922 Bradateanu et al. Feb 2010 A1
20100057622 Faith et al. Mar 2010 A1
20100057716 Stefik et al. Mar 2010 A1
20100070523 Delgo et al. Mar 2010 A1
20100070842 Aymeloglu et al. Mar 2010 A1
20100070845 Facemire et al. Mar 2010 A1
20100070897 Aymeloglu et al. Mar 2010 A1
20100077481 Polyakov et al. Mar 2010 A1
20100077483 Stolfo et al. Mar 2010 A1
20100098318 Anderson Apr 2010 A1
20100100963 Mahaffey Apr 2010 A1
20100103124 Kruzeniski et al. Apr 2010 A1
20100106611 Paulsen et al. Apr 2010 A1
20100114887 Conway et al. May 2010 A1
20100122152 Chamberlain et al. May 2010 A1
20100125546 Barrett et al. May 2010 A1
20100131457 Heimendinger May 2010 A1
20100162176 Dunton Jun 2010 A1
20100169237 Howard et al. Jul 2010 A1
20100185691 Irmak et al. Jul 2010 A1
20100191563 Schlaifer et al. Jul 2010 A1
20100198684 Eraker et al. Aug 2010 A1
20100199225 Coleman et al. Aug 2010 A1
20100211578 Lundberg et al. Aug 2010 A1
20100228812 Uomini Sep 2010 A1
20100235915 Memon et al. Sep 2010 A1
20100250412 Wagner Sep 2010 A1
20100262688 Hussain et al. Oct 2010 A1
20100280857 Liu et al. Nov 2010 A1
20100293174 Bennett et al. Nov 2010 A1
20100306029 Jolley Dec 2010 A1
20100306713 Geisner et al. Dec 2010 A1
20100313119 Baldwin et al. Dec 2010 A1
20100313266 Feng et al. Dec 2010 A1
20100318924 Frankel et al. Dec 2010 A1
20100321399 Ellren et al. Dec 2010 A1
20100325526 Ellis et al. Dec 2010 A1
20100325581 Finkelstein et al. Dec 2010 A1
20100330801 Rouh Dec 2010 A1
20110029526 Knight et al. Feb 2011 A1
20110047159 Baid et al. Feb 2011 A1
20110055140 Roychowdhury Mar 2011 A1
20110060753 Shaked et al. Mar 2011 A1
20110060910 Gormish et al. Mar 2011 A1
20110061013 Bilicki et al. Mar 2011 A1
20110066933 Ludwig Mar 2011 A1
20110074811 Hanson et al. Mar 2011 A1
20110078055 Faribault et al. Mar 2011 A1
20110078173 Seligmann et al. Mar 2011 A1
20110087519 Fordyce, III et al. Apr 2011 A1
20110093327 Fordyce, III et al. Apr 2011 A1
20110099133 Chang et al. Apr 2011 A1
20110117878 Barash et al. May 2011 A1
20110119100 Ruhl et al. May 2011 A1
20110131122 Griffin et al. Jun 2011 A1
20110137766 Rasmussen et al. Jun 2011 A1
20110153384 Horne et al. Jun 2011 A1
20110161096 Buehler et al. Jun 2011 A1
20110167054 Bailey et al. Jul 2011 A1
20110167105 Ramakrishnan et al. Jul 2011 A1
20110167493 Song et al. Jul 2011 A1
20110170799 Carrino et al. Jul 2011 A1
20110173032 Payne et al. Jul 2011 A1
20110173093 Psota et al. Jul 2011 A1
20110178842 Rane et al. Jul 2011 A1
20110185316 Reid et al. Jul 2011 A1
20110202555 Cordover et al. Aug 2011 A1
20110208724 Jones et al. Aug 2011 A1
20110213655 Henkin Sep 2011 A1
20110218934 Elser Sep 2011 A1
20110219450 McDougal et al. Sep 2011 A1
20110225198 Edwards et al. Sep 2011 A1
20110225650 Margolies et al. Sep 2011 A1
20110231223 Winters Sep 2011 A1
20110238495 Kang Sep 2011 A1
20110238510 Rowen et al. Sep 2011 A1
20110238553 Raj et al. Sep 2011 A1
20110238570 Li et al. Sep 2011 A1
20110246229 Pacha Oct 2011 A1
20110251951 Kolkowtiz Oct 2011 A1
20110258158 Resende et al. Oct 2011 A1
20110270604 Qi et al. Nov 2011 A1
20110270705 Parker Nov 2011 A1
20110289397 Eastmond et al. Nov 2011 A1
20110289407 Naik et al. Nov 2011 A1
20110289420 Morioka et al. Nov 2011 A1
20110291851 Whisenant Dec 2011 A1
20110307382 Siegel et al. Dec 2011 A1
20110310005 Chen et al. Dec 2011 A1
20110314007 Dassa et al. Dec 2011 A1
20110314546 Aziz et al. Dec 2011 A1
20120004904 Shin et al. Jan 2012 A1
20120011238 Rathod Jan 2012 A1
20120019559 Siler et al. Jan 2012 A1
20120036013 Neuhaus et al. Feb 2012 A1
20120036434 Oberstein Feb 2012 A1
20120050293 Carlhian et al. Mar 2012 A1
20120066166 Curbera et al. Mar 2012 A1
20120066296 Appleton et al. Mar 2012 A1
20120072825 Sherkin et al. Mar 2012 A1
20120079363 Folting et al. Mar 2012 A1
20120079592 Pandrangi Mar 2012 A1
20120084118 Bai et al. Apr 2012 A1
20120084135 Nissan et al. Apr 2012 A1
20120084866 Stolfo Apr 2012 A1
20120106801 Jackson May 2012 A1
20120110633 An et al. May 2012 A1
20120110674 Belani et al. May 2012 A1
20120117082 Koperda et al. May 2012 A1
20120124671 Fritzson May 2012 A1
20120131107 Yost May 2012 A1
20120131512 Takeuchi et al. May 2012 A1
20120137235 TS et al. May 2012 A1
20120144335 Abeln et al. Jun 2012 A1
20120158626 Zhu et al. Jun 2012 A1
20120159307 Chung et al. Jun 2012 A1
20120159362 Brown et al. Jun 2012 A1
20120159399 Bastide et al. Jun 2012 A1
20120169593 Mak et al. Jul 2012 A1
20120170847 Tsukidate Jul 2012 A1
20120173381 Smith Jul 2012 A1
20120173985 Peppel Jul 2012 A1
20120180002 Campbell et al. Jul 2012 A1
20120196557 Reich et al. Aug 2012 A1
20120196558 Reich et al. Aug 2012 A1
20120197651 Robinson et al. Aug 2012 A1
20120203708 Psota et al. Aug 2012 A1
20120208636 Feige Aug 2012 A1
20120215898 Shah et al. Aug 2012 A1
20120218305 Patterson et al. Aug 2012 A1
20120221511 Gibson et al. Aug 2012 A1
20120221553 Wittmer et al. Aug 2012 A1
20120221580 Barney Aug 2012 A1
20120245976 Kumar et al. Sep 2012 A1
20120246148 Dror Sep 2012 A1
20120254129 Wheeler et al. Oct 2012 A1
20120254947 Dheap et al. Oct 2012 A1
20120266245 McDougal et al. Oct 2012 A1
20120284345 Costenaro et al. Nov 2012 A1
20120284791 Miller et al. Nov 2012 A1
20120290879 Shibuya et al. Nov 2012 A1
20120296907 Long et al. Nov 2012 A1
20120304244 Xie et al. Nov 2012 A1
20120310831 Harris et al. Dec 2012 A1
20120310838 Harris et al. Dec 2012 A1
20120311684 Paulsen et al. Dec 2012 A1
20120323829 Stokes et al. Dec 2012 A1
20120323888 Osann, Jr. Dec 2012 A1
20120330801 McDougal et al. Dec 2012 A1
20120330973 Ghuneim et al. Dec 2012 A1
20130006426 Healey et al. Jan 2013 A1
20130006655 Van Arkel et al. Jan 2013 A1
20130006668 Van Arkel et al. Jan 2013 A1
20130006725 Simanek et al. Jan 2013 A1
20130006916 McBride et al. Jan 2013 A1
20130018796 Kolhatkar et al. Jan 2013 A1
20130019306 Lagar-Cavilla et al. Jan 2013 A1
20130024268 Manickavelu Jan 2013 A1
20130024307 Fuerstenberg et al. Jan 2013 A1
20130024339 Choudhuri et al. Jan 2013 A1
20130046635 Grigg et al. Feb 2013 A1
20130046842 Muntz et al. Feb 2013 A1
20130060786 Serrano et al. Mar 2013 A1
20130061169 Pearcy et al. Mar 2013 A1
20130073377 Heath Mar 2013 A1
20130073454 Busch Mar 2013 A1
20130078943 Biage et al. Mar 2013 A1
20130086482 Parsons Apr 2013 A1
20130096988 Grossman et al. Apr 2013 A1
20130097482 Marantz et al. Apr 2013 A1
20130097709 Basavapatna et al. Apr 2013 A1
20130101159 Chao et al. Apr 2013 A1
20130110822 Ikeda et al. May 2013 A1
20130110876 Meijer et al. May 2013 A1
20130110877 Bonham et al. May 2013 A1
20130111320 Campbell et al. May 2013 A1
20130117651 Waldman et al. May 2013 A1
20130139261 Friedrichs et al. May 2013 A1
20130139268 An et al. May 2013 A1
20130150004 Rosen Jun 2013 A1
20130151148 Parundekar et al. Jun 2013 A1
20130151388 Falkenborg et al. Jun 2013 A1
20130151453 Bhanot et al. Jun 2013 A1
20130157234 Gulli et al. Jun 2013 A1
20130160120 Malaviya et al. Jun 2013 A1
20130166480 Popescu et al. Jun 2013 A1
20130166550 Buchmann et al. Jun 2013 A1
20130176321 Mitchell et al. Jul 2013 A1
20130179420 Park et al. Jul 2013 A1
20130185307 El-Yaniv et al. Jul 2013 A1
20130185320 Iwasaki et al. Jul 2013 A1
20130197925 Blue Aug 2013 A1
20130211985 Clark et al. Aug 2013 A1
20130224696 Wolfe et al. Aug 2013 A1
20130225212 Khan Aug 2013 A1
20130226318 Procyk Aug 2013 A1
20130226953 Markovich et al. Aug 2013 A1
20130232045 Tai et al. Sep 2013 A1
20130238616 Rose et al. Sep 2013 A1
20130239217 Kindler et al. Sep 2013 A1
20130246170 Gross et al. Sep 2013 A1
20130251233 Yang et al. Sep 2013 A1
20130262527 Hunter et al. Oct 2013 A1
20130263019 Castellanos et al. Oct 2013 A1
20130267207 Hao et al. Oct 2013 A1
20130268520 Fisher et al. Oct 2013 A1
20130268994 Cooper et al. Oct 2013 A1
20130276799 Davidson Oct 2013 A1
20130279757 Kephart Oct 2013 A1
20130282696 John et al. Oct 2013 A1
20130290011 Lynn et al. Oct 2013 A1
20130290825 Arndt et al. Oct 2013 A1
20130297619 Chandrasekaran et al. Nov 2013 A1
20130311375 Priebatsch Nov 2013 A1
20130318594 Hoy et al. Nov 2013 A1
20130339218 Subramanian et al. Dec 2013 A1
20130339514 Crank et al. Dec 2013 A1
20140006109 Callioni et al. Jan 2014 A1
20140012796 Petersen et al. Jan 2014 A1
20140013451 Kulka et al. Jan 2014 A1
20140019936 Cohanoff Jan 2014 A1
20140032506 Hoey et al. Jan 2014 A1
20140033010 Richardt et al. Jan 2014 A1
20140040371 Gurevich et al. Feb 2014 A1
20140047319 Eberlein Feb 2014 A1
20140047357 Alfaro et al. Feb 2014 A1
20140058763 Zizzamia et al. Feb 2014 A1
20140059038 McPherson et al. Feb 2014 A1
20140059683 Ashley Feb 2014 A1
20140067611 Adachi et al. Mar 2014 A1
20140068487 Steiger et al. Mar 2014 A1
20140074855 Zhao et al. Mar 2014 A1
20140081652 Klindworth Mar 2014 A1
20140082726 Dreller Mar 2014 A1
20140095273 Tang et al. Apr 2014 A1
20140095509 Patton Apr 2014 A1
20140108068 Williams Apr 2014 A1
20140108380 Gotz et al. Apr 2014 A1
20140108985 Scott et al. Apr 2014 A1
20140123279 Bishop et al. May 2014 A1
20140129261 Bothwell et al. May 2014 A1
20140136285 Carvalho May 2014 A1
20140143009 Brice et al. May 2014 A1
20140149130 Getchius May 2014 A1
20140149272 Hirani et al. May 2014 A1
20140149436 Bahrami et al. May 2014 A1
20140156484 Chan et al. Jun 2014 A1
20140156527 Grigg et al. Jun 2014 A1
20140157172 Peery et al. Jun 2014 A1
20140164502 Khodorenko et al. Jun 2014 A1
20140173712 Ferdinand Jun 2014 A1
20140173738 Condry et al. Jun 2014 A1
20140188895 Wang et al. Jul 2014 A1
20140189536 Lange et al. Jul 2014 A1
20140195515 Baker et al. Jul 2014 A1
20140195887 Ellis et al. Jul 2014 A1
20140214579 Shen et al. Jul 2014 A1
20140222521 Chait Aug 2014 A1
20140222793 Sadkin et al. Aug 2014 A1
20140229422 Jain et al. Aug 2014 A1
20140244388 Manouchehri et al. Aug 2014 A1
20140267294 Ma Sep 2014 A1
20140267295 Sharma Sep 2014 A1
20140279824 Tamayo Sep 2014 A1
20140283067 Call et al. Sep 2014 A1
20140283107 Walton et al. Sep 2014 A1
20140310266 Greenfield Oct 2014 A1
20140310282 Sprague et al. Oct 2014 A1
20140316911 Gross Oct 2014 A1
20140325643 Bart et al. Oct 2014 A1
20140331119 Dixon et al. Nov 2014 A1
20140333651 Cervelli et al. Nov 2014 A1
20140337772 Cervelli et al. Nov 2014 A1
20140344230 Krause et al. Nov 2014 A1
20140366132 Stiansen et al. Dec 2014 A1
20140379812 Bastide, II et al. Dec 2014 A1
20150019394 Unser et al. Jan 2015 A1
20150039565 Lucas Feb 2015 A1
20150046791 Isaacson Feb 2015 A1
20150046844 Lee et al. Feb 2015 A1
20150046845 Lee Feb 2015 A1
20150046870 Goldenberg et al. Feb 2015 A1
20150046876 Goldenberg Feb 2015 A1
20150067533 Volach Mar 2015 A1
20150089424 Duffield et al. Mar 2015 A1
20150100897 Sun et al. Apr 2015 A1
20150100907 Erenrich et al. Apr 2015 A1
20150106379 Elliot et al. Apr 2015 A1
20150128274 Giokas May 2015 A1
20150134666 Gattiker et al. May 2015 A1
20150169709 Kara et al. Jun 2015 A1
20150169726 Kara et al. Jun 2015 A1
20150170077 Kara et al. Jun 2015 A1
20150178825 Huerta Jun 2015 A1
20150178877 Bogomolov et al. Jun 2015 A1
20150186494 Gilad Jul 2015 A1
20150186821 Wang et al. Jul 2015 A1
20150187036 Wang et al. Jul 2015 A1
20150188715 Castelluci et al. Jul 2015 A1
20150207809 MacAulay Jul 2015 A1
20150223158 McCann et al. Aug 2015 A1
20150227295 Meiklejohn et al. Aug 2015 A1
20150229664 Hawthorn et al. Aug 2015 A1
20150235334 Wang et al. Aug 2015 A1
20150248563 Alfarano et al. Sep 2015 A1
20150256498 Snider et al. Sep 2015 A1
20150261847 Ducott et al. Sep 2015 A1
20150309719 Ma et al. Oct 2015 A1
20150317342 Grossman et al. Nov 2015 A1
20150324868 Kaftan et al. Nov 2015 A1
20150326601 Grondin et al. Nov 2015 A1
20150347558 Blaas et al. Dec 2015 A1
20160004764 Chakerian et al. Jan 2016 A1
20160004864 Falk et al. Jan 2016 A1
20160028759 Visbal Jan 2016 A1
20160034470 Sprague et al. Feb 2016 A1
20160048937 Mathura et al. Feb 2016 A1
20170041335 Spiro et al. Feb 2017 A1
20170134397 Dennison et al. May 2017 A1
20170237755 Visbal Aug 2017 A1
20190036945 Dennison et al. Jan 2019 A1
20190158515 Visbal May 2019 A1
Foreign Referenced Citations (64)
Number Date Country
101729531 Jun 2010 CN
103281301 Sep 2013 CN
102054015 May 2014 CN
102014103482 Sep 2014 DE
102014204827 Sep 2014 DE
102014204830 Sep 2014 DE
102014204834 Sep 2014 DE
102014215621 Feb 2015 DE
1191463 Mar 2002 EP
1672527 Jun 2006 EP
1962222 Aug 2008 EP
2551799 Jan 2013 EP
2555153 Feb 2013 EP
2560134 Feb 2013 EP
2778977 Sep 2014 EP
2778983 Sep 2014 EP
2779082 Sep 2014 EP
2835745 Feb 2015 EP
2835770 Feb 2015 EP
2838039 Feb 2015 EP
2846241 Mar 2015 EP
2851852 Mar 2015 EP
2858014 Apr 2015 EP
2858018 Apr 2015 EP
2863326 Apr 2015 EP
2863346 Apr 2015 EP
2869211 May 2015 EP
2881868 Jun 2015 EP
2884439 Jun 2015 EP
2884440 Jun 2015 EP
2891992 Jul 2015 EP
2892197 Jul 2015 EP
2897051 Jul 2015 EP
2911078 Aug 2015 EP
2911100 Aug 2015 EP
2940603 Nov 2015 EP
2940609 Nov 2015 EP
2963577 Jan 2016 EP
2963578 Jan 2016 EP
2985729 Feb 2016 EP
2985974 Feb 2016 EP
3018879 May 2016 EP
3128449 Dec 2018 EP
2513247 Oct 2014 GB
2516155 Jan 2015 GB
2518745 Apr 2015 GB
2012778 Nov 2014 NL
2013306 Feb 2015 NL
2011642 Aug 2015 NL
624557 Dec 2014 NZ
WO 00009529 Feb 2000 WO
WO 02065353 Aug 2002 WO
WO 2005010685 Feb 2005 WO
WO 2005104736 Nov 2005 WO
WO 2005116851 Dec 2005 WO
WO 2008011728 Jan 2008 WO
WO 2008064207 May 2008 WO
WO 2008113059 Sep 2008 WO
WO 2009061501 May 2009 WO
WO 2010000014 Jan 2010 WO
WO 2010030913 Mar 2010 WO
WO 2013010157 Jan 2013 WO
WO 2013102892 Jul 2013 WO
WO 2013126281 Aug 2013 WO
Non-Patent Literature Citations (345)
Entry
US 8,712,906 B1, 04/2014, Sprague et al. (withdrawn)
US 8,725,631 B1, 05/2014, Sprague et al. (withdrawn)
“A First Look: Predicting Market Demand for Food Retail using a Huff Analysis,” TRF Policy Solutions, Jul. 2012, pp. 30.
“A Quick Guide to UniProtKB Swiss-Prot & TrEMBL,” Sep. 2011, pp. 2.
“HunchLab: Heat Map and Kernel Density Calculation for Crime Analysis,” Azavea Journal, printed from www.azavea.com/blogs/newsletter/v4i4/kernel-density-capabilities-added-to-hunchlab/ on Sep. 9, 2014, 2 pages.
“Refresh CSS Ellipsis When Resizing Container—Stack Overflow,” Jul. 31, 2013, retrieved from internet http://stackoverflow.com/questions/17964681/refresh-css-ellipsis-when-resizing-container, retrieved on May 18, 2015.
“The FASTA Program Package,” fasta-36.3.4, Mar. 25, 2011, pp. 29.
About 80 Minutes, “Palantir in a Number of Parts—Part 6—Graph,” Mar. 21, 2013, pp. 1-6.
Acklen, Laura, “Absolute Beginner's Guide to Microsoft Word 2003,” Dec. 24, 2003, pp. 15-18, 34-41, 308-316.
Alur et al., “Chapter 2: IBM InfoSphere DataStage Stages,” IBM InfoSphere DataStage Data Flow and Job Design, Jul. 1, 2008, pp. 35-137.
Amnet, “5 Great Tools for Visualizing Your Twitter Followers,” posted Aug. 4, 2010, http://www.amnetblog.com/component/content/article/115-5-grate-tools-for-visualizing-your-twitter-followers.html.
Ananiev et al., “The New Modality API,” http://web.archive.org/web/20061211011958/http://java.sun.com/developer/technicalArticles/J2SE/Desktop/javase6/modality/ Jan. 21, 2006, pp. 8.
Appacts, “Smart Thinking for Super Apps,” http://www.appacts.com Printed Jul. 18, 2013 in 4 pages.
Apsalar, “Data Powered Mobile Advertising,” “Free Mobile App Analytics” and various analytics related screen shots http://apsalar.com Printed Jul. 18, 2013 in 8 pages.
Baker et al., “The Development of a Common Enumeration of Vulnerabilities and Exposures,” Presented at the Second International Workshop on Recent Advances in Intrusion Detection, Sep. 7-9, 1999, pp. 35.
Bhuyan et al., “Network Anomaly Detection: Methods, Systems and Tools,” First Quarter 2014, IEEE.
Bluttman et al., “Excel Formulas and Functions for Dummies,” 2005, Wiley Publishing, Inc., pp. 280, 284-286.
Boyce, Jim, “Microsoft Outlook 2010 Inside Out,” Aug. 1, 2010, retrieved from the internet https://capdtron.files.wordpress.com/2013/01/outlook-2010-inside_out.pdf.
Bugzilla@Mozilla, “Bug 18726—[feature] Long-click means of invoking contextual menus not supported,” http://bugzilla.mozilla.org/show_bug.cgi?id=18726 printed Jun. 13, 2013 in 11 pages.
Canese et al., “Chapter 2: PubMed: The Bibliographic Database,” The NCBI Handbook, Oct. 2002, pp. 1-10.
Capptain—Pilot Your Apps, http://www.capptain.com Printed Jul. 18, 2013 in 6 pages.
Celik, Tantek, “CSS Basic User Interface Module Level 3 (CSS3 UI),” Section 8 Resizing and Overflow, Jan. 17, 2012, retrieved from internet http://www.w3.org/TR/2012/WD-css3-ui-20120117/#resizing-amp-overflow retrieved on May 18, 2015.
Chen et al., “Bringing Order to the Web: Automatically Categorizing Search Results,” CHI 2000, Proceedings of the SIGCHI conference on Human Factors in Computing Systems, Apr. 1-6, 2000, The Hague, The Netherlands, pp. 145-152.
Chung, Chin-Wan, “Dataplex: An Access to Heterogeneous Distributed Databases,” Communications of the ACM, Association for Computing Machinery, Inc., vol. 33, No. 1, Jan. 1, 1990, pp. 70-80.
Conner, Nancy, “Google Apps: The Missing Manual,” May 1, 2008, pp. 15.
Countly Mobile Analytics, http://count.ly/ Printed Jul. 18, 2013 in 9 pages.
Crosby et al., “Efficient Data Structures for Tamper-Evident Logging,” Department of Computer Science, Rice University, 2009, pp. 17.
Definition “Identify”, downloaded Jan. 22, 2015, 1 page.
Definition “Overlay”, downloaded Jan. 22, 2015, 1 page.
Delcher et al., “Identifying Bacterial Genes and Endosymbiont DNA with Glimmer,” BioInformatics, vol. 23, No. 6, 2007, pp. 673-679.
DISTIMO—App Analytics, http://www.distimo.com/app-analytics Printed Jul. 18, 2013 in 5 pages.
Dramowicz, Ela, “Retail Trade Area Analysis Using the Huff Model,” Directions Magazine, Jul. 2, 2005 in 10 pages, http://www.directionsmag.com/articles/retail-trade-area-analysis-using-the-huff-model/123411.
FireEye—Products and Solutions Overview, http://www.fireeye.com/products-and-solutions Printed Jun. 30, 2014 in 3 pages.
FireEye, http://www.fireeye.com/ Printed Jun. 30, 2014 in 2 pages.
Flurry Analytics, http://www.flurry.com/ Printed Jul. 18, 2013 in 14 pages.
Gesher, Ari, “Palantir Screenshots in the Wild: Swing Sightings,” The Palantir Blog, Sep. 11, 2007, pp. 1-12.
GIS-NET 3 Public_Department of Regional Planning. Planning & Zoning Information for Unincorporated LA County. Retrieved Oct. 2, 2013 from http://gis.planning.lacounty.gov/GIS-NET3_Public/Viewer.html.
Glaab et al., “EnrichNet: Network-Based Gene Set Enrichment Analysis,” Bioinformatics 28.18 (2012): pp. i451-i457.
Google Analytics Official Website—Web Analytics & Reporting, http://www.google.com/analytics.index.html Printed Jul. 18, 2013 in 22 pages.
Gorr et al., “Crime Hot Spot Forecasting: Modeling and Comparative Evaluation”, Grant 98-IJ-CX-K005, May 6, 2002, 37 pages.
Goswami, Gautam, “Quite Writly Said!,” One Brick at a Time, Aug. 21, 2005, pp. 7.
Griffith, Daniel A., “A Generalized Huff Model,” Geographical Analysis, Apr. 1982, vol. 14, No. 2, pp. 135-144.
Gu et al., “Record Linkage: Current Practice and Future Directions,” Jan. 15, 2004, pp. 32.
Hansen et al., “Analyzing Social Media Networks with NodeXL: Insights from a Connected World”, Chapter 4, pp. 53-67 and Chapter 10, pp. 143-164, published Sep. 2010.
Hardesty, “Privacy Challenges: Analysis: It's Surprisingly Easy to Identify Individuals from Credit-Card Metadata,” MIT News on Campus and Around the World, MIT News Office, Jan. 29, 2015, 3 pages.
Hibbert et al., “Prediction of Shopping Behavior Using a Huff Model Within a GIS Framework,” Healthy Eating in Context, Mar. 18, 2011, pp. 16.
Hogue et al., “Thresher: Automating the Unwrapping of Semantic Content from the World Wide Web,” 14th International Conference on World Wide Web, WWW 2005: Chiba, Japan, May 10-14, 2005, pp. 86-95.
Hua et al., “A Multi-attribute Data Structure with Parallel Bloom Filters for Network Services”, HiPC 2006, LNCS 4297, pp. 277-288, 2006.
Huang et al., “Systematic and Integrative Analysis of Large Gene Lists Using DAVID Bioinformatics Resources,” Nature Protocols, 4.1, 2008, 44-57.
Huff et al., “Calibrating the Huff Model Using ArcGIS Business Analyst,” ESRI, Sep. 2008, pp. 33.
Huff, David L., “Parameter Estimation in the Huff Model,” ESRI, ArcUser, Oct.-Dec. 2003, pp. 34-36.
Hur et al., “SciMiner: web-based literature mining tool for target identification and functional enrichment analysis,” Bioinformatics 25.6 (2009): pp. 838-840.
Kahan et al., “Annotea: an Open RDF Infrastructure for Shared Web Annotations”, Computer Networks, Elsevier Science Publishers B.V., vol. 39, No. 5, dated Aug. 5, 2002, pp. 589-608.
Kitts, Paul, “Chapter 14: Genome Assembly and Annotation Process,” The NCBI Handbook, Oct. 2002, pp. 1-21.
Kontagent Mobile Analytics, http://www.kontagent.com/ Printed Jul. 18, 2013 in 9 pages.
Lee et al., “A Data Mining and CIDF Based Approach for Detecting Novel and Distributed Intrusions,” Lecture Notes in Computer Science, vol. 1907 Nov. 11, 2000, pp. 49-65.
Li et al., “Interactive Multimodal Visual Search on Mobile Device,” IEEE Transactions on Multimedia, vol. 15, No. 3, Apr. 1, 2013, pp. 594-607.
Liu, Tianshun, “Combining GIS and the Huff Model to Analyze Suitable Locations for a New Asian Supermarket in the Minneapolis and St. Paul, Minnesota USA,” Papers in Resource Analysis, 2012, vol. 14, pp. 8.
Localytics—Mobile App Marketing & Analytics, http://www.localytics.com/ Printed Jul. 18, 2013 in 12 pages.
Ma et al. “A New Approach to Secure Logging,” ACM Transactions on Storage, vol. 5, No. 1, Article 2, Published Mar. 2009, 21 pages.
Madden, Tom, “Chapter 16: The BLAST Sequence Analysis Tool,” The NCBI Handbook, Oct. 2002, pp. 1-15.
Manno et al., “Introducing Collaboration in Single-user Applications through the Centralized Control Architecture,” 2010, pp. 10.
Manske, “File Saving Dialogs,” http://www.mozilla.org/editor/ui_specs/FileSaveDialogs.html, Jan. 20, 1999, pp. 7.
Map Builder, “Rapid Mashup Development Tool for Google and Yahoo Maps!” http://web.archive.org/web/20090626224734/http://www.mapbuilder.net/ printed Jul. 20, 2012 in 2 pages.
Map of San Jose, CA. Retrieved Oct. 2, 2013 from http://maps.yahoo.com.
Map of San Jose, CA. Retrieved Oct. 2, 2013 from http://maps.bing.com.
Map of San Jose, CA. Retrieved Oct. 2, 2013 from http://maps.google.com.
Microsoft—Developer Network, “Getting Started with VBA in Word 2010,” Apr. 2010, http://msdn.microsoft.com/en-us/library/ff604039%28v=office.14%29.aspx as printed Apr. 4, 2014 in 17 pages.
Microsoft Office—Visio, “About connecting shapes,” http://office.microsoft.com/en-us/visio-help/about-connecting-shapes-HP085050369.aspx printed Aug. 4, 2011 in 6 pages.
Microsoft Office—Visio, “Add and glue connectors with the Connector tool,” http://office.microsoft.com/en-us/visio-help/add-and-glue-connectors-with-the-connector-tool-HA010048532.aspx?CTT=1 printed Aug. 4, 2011 in 1 page.
Mixpanel—Mobile Analytics, https://mixpanel.com/ Printed Jul. 18, 2013 in 13 pages.
Mizrachi, Ilene, “Chapter 1: GenBank: The Nuckeotide Sequence Database,” The NCBI Handbook, Oct. 2002, pp. 1-14.
Nierman, “Evaluating Structural Similarity in XML Documents”, 6 pages, 2002.
Olanoff, Drew, “Deep Dive with the New Google Maps for Desktop with Google Earth Integration, It's More than Just a Utility,” May 15, 2013, pp. 1-6, retrieved from the internet: http://web.archive.org/web/20130515230641/http://techcrunch.com/2013/05/15/deep-dive-with-the-new-google-maps-for-desktop-with-google-earth-integration-its-more-than-just-a-utility/.
Open Web Analytics (OWA), http://www.openwebanalytics.com/ Printed Jul. 19, 2013 in 5 pages.
Palantir Technologies, “Palantir Labs Timeline,” Oct. 1, 2010, retrieved from the internet https://www.youtube.com/watch?v=JCgDW5bru9M.
Palmas et al., “An Edge-Bunding Layout for Interactive Parallel Coordinates” 2014 IEEE Pacific Visualization Symposium, pp. 57-64.
Piwik—Free Web Analytics Software. http://piwik.org/ Printed Jul. 19, 2013 in18 pages.
QUEST, “Toad for ORACLE 11.6—Guide to Using Toad,” Sep. 24, 2012, pp. 1-162.
Rouse, Margaret, “OLAP Cube,” http://searchdatamanagement.techtarget.com/definition/OLAP-cube, Apr. 28, 2012, pp. 16.
Schneier et al., “Automatic Event Stream Notarization Using Digital Signatures,” Security Protocols, International Workshop Apr. 1996 Proceedings, Springer-Veriag, 1997, pp. 155-169, https://schneier.com/paper-event-stream.pdf.
Schneier et al., “Cryptographic Support for Secure Logs on Untrusted Machines,” The Seventh USENIX Security Symposium Proceedings, USENIX Press, Jan. 1998, pp. 53-62, https://www.schneier.com/paper-secure-logs.pdf.
Sigrist, et al., “PROSITE, a Protein Domain Database for Functional Characterization and Annotation,” Nucleic Acids Research, 2010, vol. 38, pp. D161-D166.
Sirotkin et al., “Chapter 13: The Processing of Biological Sequence Data at NCBI,” The NCBI Handbook, Oct. 2002, pp. 1-11.
StatCounter—Free Invisible Web Tracker, Hit Counter and Web Stats, http://statcounter.com/ Printed Jul. 19, 2013 in 17 pages.
TestFlight—Beta Testing on the Fly, http://testflightapp.com/ Printed Jul. 18, 2013 in 3 pages.
Thompson, Mick, “Getting Started with GEO,” Getting Started with GEO, Jul. 26, 2011.
trak.io, http://trak.io/ printed Jul. 18, 2013 in 3 pages.
Umagandhi et al., “Search Query Recommendations Using Hybrid User Profile with Query Logs,” International Journal of Computer Applications, vol. 80, No. 10, Oct. 1, 2013, pp. 7-18.
UserMetrix, http://usermetrix.com/android-analytics printed Jul. 18, 2013 in 3 pages.
Valentini et al., “Ensembles of Learning Machines”, M. Marinaro and R. Tagliaferri (Eds.): WIRN VIETRI 2002, LNCS 2486, pp. 3-20.
VirusTotal—About, http://www.virustotal.com/en/about/ Printed Jun. 30, 2014 in 8 pages.
Vose et al., “Help File for ModelRisk Version 5,” 2007, Vose Software, pp. 349-353. [Uploaded in 2 Parts].
Waters et al., “Building an Encrypted and Searchable Audit Log,” Published Jan. 9, 2004, 11 pages, http://www.parc.com/content/attachments/building_encrypted_searchable_5059_parc.pdf.
Wikipedia, “Federated Database System,” Sep. 7, 2013, retrieved from the internet on Jan. 27, 2015 http://en.wikipedia.org/w/index.php?title-Federated_database_system&oldid=571954221.
Wright et al., “Palantir Technologies VAST 2010 Challenge Text Records_Investigations into Arms Dealing,” Oct. 29, 2010, pp. 1-10.
Yang et al., “HTML Page Analysis Based on Visual Cues”, A129, pp. 859-864, 2001.
Zheng et al., “GOEAST: a web-based software toolkit for Gene Ontology enrichment analysis,” Nucleic acids research 36.suppl 2 (2008): pp. W385-W363.
International Search Report and Written Opinion in Application No. PCT/US2009/056703, dated Mar. 15, 2010.
Notice of Acceptance for Australian Patent Application No. 2014250678 dated Oct. 7, 2015.
Notice of Allowance for U.S. Appl. No. 12/556,318 dated Nov. 2, 2015.
Notice of Allowance for U.S. Appl. No. 14/033,076 dated Mar. 11, 2016.
Notice of Allowance for U.S. Appl. No. 14/102,394 dated Aug. 25, 2014.
Notice of Allowance for U.S. Appl. No. 14/108,187 dated Aug. 29, 2014.
Notice of Allowance for U.S. Appl. No. 14/135,289 dated Oct. 14, 2014.
Notice of Allowance for U.S. Appl. No. 14/148,568 dated Aug. 26, 2015.
Notice of Allowance for U.S. Appl. No. 14/192,767 dated Dec. 16, 2014.
Notice of Allowance for U.S. Appl. No. 14/223,918 dated Jan. 6, 2016.
Notice of Allowance for U.S. Appl. No. 14/225,084 dated May 4, 2015.
Notice of Allowance for U.S. Appl. No. 14/268,964 dated Dec. 3, 2014.
Notice of Allowance for U.S. Appl. No. 14/294,098 dated Dec. 29, 2014.
Notice of Allowance for U.S. Appl. No. 14/326,738 dated Nov. 18, 2015.
Notice of Allowance for U.S. Appl. No. 14/479,863 dated Mar. 31, 2015.
Notice of Allowance for U.S. Appl. No. 14/504,103 dated May 18, 2015.
Notice of Allowance for U.S. Appl. No. 14/698,432 dated Sep. 28, 2016.
Notice of Allowance for U.S. Appl. No. 14/816,748 dated Oct. 19, 2016.
Notice of Allowance for U.S. Appl. No. 14/823,935 dated Apr. 25, 2016.
Notice of Allowance for U.S. Appl. No. 14/970,317 dated May 26, 2016.
Notice of Allowance for U.S. Appl. No. 15/072,174 dated Jul. 13, 2016.
Official Communication for Australian Patent Application No. 2014201511 dated Feb. 27, 2015.
Official Communication for Australian Patent Application No. 2014202442 dated Mar. 19, 2015.
Official Communication for Australian Patent Application No. 2014210604 dated Jun. 5, 2015.
Official Communication for Australian Patent Application No. 2014210614 dated Jun. 5, 2015.
Official Communication for Australian Patent Application No. 2014213553 dated May 7, 2015.
Official Communication for Australian Patent Application No. 2014250678 dated Jun. 17, 2015.
Official Communication for European Patent Application No. 14158861.6 dated Jun. 16, 2014.
Official Communication for European Patent Application No. 14159464.8 dated Jul. 31, 2014.
Official Communication for European Patent Application No. 14180142.3 dated Feb. 6, 2015.
Official Communication for European Patent Application No. 14180281.9 dated Jan. 26, 2015.
Official Communication for European Patent Application No. 14180321.3 dated Apr. 17, 2015.
Official Communication for European Patent Application No. 14180432.8 dated Jun. 23, 2015.
Official Communication for European Patent Application No. 14186225.0 dated Feb. 13, 2015.
Official Communication for European Patent Application No. 14187739.9 dated Jul. 6, 2015.
Official Communication for European Patent Application No. 14187996.5 dated Feb. 12, 2015.
Official Communication for European Patent Application No. 14189344.6 dated Feb. 20, 2015.
Official Communication for European Patent Application No. 14189347.9 dated Mar. 4, 2015.
Official Communication for European Patent Application No. 14189802.3 dated May 11, 2015.
Official Communication for European Patent Application No. 14191540.5 dated May 27, 2015.
Official Communication for European Patent Application No. 14197879.1 dated Apr. 28, 2015.
Official Communication for European Patent Application No. 14197895.7 dated Apr. 28, 2015.
Official Communication for European Patent Application No. 14197938.5 dated Apr. 28, 2015.
Official Communication for European Patent Application No. 14199180.2 dated Jun. 22, 2015.
Official Communication for European Patent Application No. 14199180.2 dated Aug. 31, 2015.
Official Communication for European Patent Application No. 14199182.8 dated Mar. 13, 2015.
Official Communication for European Patent Application No. 15155846.7 dated Jul. 8, 2015.
Official Communication for European Patent Application No. 15165244.3 dated Aug. 27, 2015.
Official Communication for European Patent Application No. 15175106.2 dated Nov. 5, 2015.
Official Communication for European Patent Application No. 15180985.2 dated Jan. 15, 2016.
Official Communication for European Patent Application No. 15183721.8 dated Nov. 23, 2015.
Official Communication for Great Britain Application No. 1413935.9 dated Jan. 27, 2015.
Official Communication for Great Britain Patent Application No. 1404486.1 dated May 21, 2015.
Official Communication for Great Britain Patent Application No. 1404486.1 dated Aug. 27, 2014.
Official Communication for Great Britain Patent Application No. 1404489.5 dated May 21, 2015.
Official Communication for Great Britain Patent Application No. 1404489.5 dated Aug. 27, 2014.
Official Communication for Great Britain Patent Application No. 1404499.4 dated Aug. 20, 2014.
Official Communication for Great Britain Patent Application No. 1404574.4 dated Dec. 18, 2014.
Official Communication for Great Britain Patent Application No. 1408025.3 dated Nov. 6, 2014.
Official Communication for Great Britain Patent Application No. 1411984.6 dated Dec. 22, 2014.
Official Communication for Great Britain Patent Application No. 1413935.6 dated Jan. 27, 2015.
Official Communication for Netherlands Patent Application No. 2012437 dated Sep. 18, 2015.
Official Communication for Netherlands Patent Application No. 2013306 dated Apr. 24, 2015.
Official Communication for New Zealand Patent Application No. 622181 dated Mar. 24, 2014.
Official Communication for New Zealand Patent Application No. 622439 dated Mar. 24, 2014.
Official Communication for New Zealand Patent Application No. 622439 dated Jun. 6, 2014.
Official Communication for New Zealand Patent Application No. 622473 dated Jun. 19, 2014.
Official Communication for New Zealand Patent Application No. 622473 dated Mar. 27, 2014.
Official Communication for New Zealand Patent Application No. 622513 dated Apr. 3, 2014.
Official Communication for New Zealand Patent Application No. 622517 dated Apr. 3, 2014.
Official Communication for New Zealand Patent Application No. 624557 dated May 14, 2014.
Official Communication for New Zealand Patent Application No. 627061 dated Jul. 14, 2014.
Official Communication for New Zealand Patent Application No. 627962 dated Aug. 5, 2014.
Official Communication for New Zealand Patent Application No. 628150 dated Aug. 15, 2014.
Official Communication for New Zealand Patent Application No. 628161 dated Aug. 25, 2014.
Official Communication for New Zealand Patent Application No. 628263 dated Aug. 12, 2014.
Official Communication for New Zealand Patent Application No. 628495 dated Aug. 19, 2014.
Official Communication for New Zealand Patent Application No. 628585 dated Aug. 26, 2014.
Official Communication for New Zealand Patent Application No. 628840 dated Aug. 28, 2014.
Official Communication for U.S. Appl. No. 12/556,318 dated Jul. 2, 2015.
Official Communication for U.S. Appl. No. 13/247,987 dated Apr. 2, 2015.
Official Communication for U.S. Appl. No. 13/247,987 dated Sep. 22, 2015.
Official Communication for U.S. Appl. No. 13/827,491 dated Dec. 1, 2014.
Official Communication for U.S. Appl. No. 13/831,791 dated Mar. 4, 2015.
Official Communication for U.S. Appl. No. 13/831,791 dated Aug. 6, 2015.
Official Communication for U.S. Appl. No. 13/835,688 dated Jun. 17, 2015.
Official Communication for U.S. Appl. No. 13/839,026 dated Aug. 4, 2015.
Official Communication for U.S. Appl. No. 14/134,558 dated Oct. 7, 2015.
Official Communication for U.S. Appl. No. 14/148,568 dated Oct. 22, 2014.
Official Communication for U.S. Appl. No. 14/148,568 dated Mar. 26, 2015.
Official Communication for U.S. Appl. No. 14/196,814 dated May 5, 2015.
Official Communication for U.S. Appl. No. 14/223,918 dated Jun. 8, 2015.
Official Communication for U.S. Appl. No. 14/225,006 dated Sep. 10, 2014.
Official Communication for U.S. Appl. No. 14/225,006 dated Sep. 2, 2015.
Official Communication for U.S. Appl. No. 14/225,006 dated Feb. 27, 2015.
Official Communication for U.S. Appl. No. 14/225,084 dated Sep. 11, 2015.
Official Communication for U.S. Appl. No. 14/225,084 dated Sep. 2, 2014.
Official Communication for U.S. Appl. No. 14/225,084 dated Feb. 20, 2015.
Official Communication for U.S. Appl. No. 14/225,160 dated Feb. 11, 2015.
Official Communication for U.S. Appl. No. 14/225,160 dated Aug. 12, 2015.
Official Communication for U.S. Appl. No. 14/225,160 dated May 20, 2015.
Official Communication for U.S. Appl. No. 14/225,160 dated Oct. 22, 2014.
Official Communication for U.S. Appl. No. 14/225,160 dated Jul. 29, 2014.
Official Communication for U.S. Appl. No. 14/268,964 dated Sep. 3, 2014.
Official Communication for U.S. Appl. No. 14/280,490 dated Jul. 24, 2014.
Official Communication for U.S. Appl. No. 14/289,596 dated Jul. 18, 2014.
Official Communication for U.S. Appl. No. 14/289,596 dated Jan. 26, 2015.
Official Communication for U.S. Appl. No. 14/289,596 dated Apr. 30, 2015.
Official Communication for U.S. Appl. No. 14/289,599 dated Jul. 22, 2014.
Official Communication for U.S. Appl. No. 14/289,599 dated May 29, 2015.
Official Communication for U.S. Appl. No. 14/289,599 dated Sep. 4, 2015.
Official Communication for U.S. Appl. No. 14/294,098 dated Aug. 15, 2014.
Official Communication for U.S. Appl. No. 14/294,098 dated Nov. 6, 2014.
Official Communication for U.S. Appl. No. 14/306,138 dated Sep. 14, 2015.
Official Communication for U.S. Appl. No. 14/306,138 dated Feb. 18, 2015.
Official Communication for U.S. Appl. No. 14/306,138 dated Sep. 23, 2014.
Official Communication for U.S. Appl. No. 14/306,138 dated May 26, 2015.
Official Communication for U.S. Appl. No. 14/306,138 dated Dec. 3, 2015.
Official Communication for U.S. Appl. No. 14/306,147 dated Feb. 19, 2015.
Official Communication for U.S. Appl. No. 14/306,147 dated Aug. 7, 2015.
Official Communication for U.S. Appl. No. 14/306,147 dated Sep. 9, 2014.
Official Communication for U.S. Appl. No. 14/306,154 dated Mar. 11, 2015.
Official Communication for U.S. Appl. No. 14/306,154 dated May 15, 2015.
Official Communication for U.S. Appl. No. 14/306,154 dated Nov. 16, 2015.
Official Communication for U.S. Appl. No. 14/306,154 dated Jul. 6, 2015.
Official Communication for U.S. Appl. No. 14/306,154 dated Sep. 9, 2014.
Official Communication for U.S. Appl. No. 14/319,161 dated Jan. 23, 2015.
Official Communication for U.S. Appl. No. 14/319,765 dated Sep. 10, 2015.
Official Communication for U.S. Appl. No. 14/319,765 dated Jun. 16, 2015.
Official Communication for U.S. Appl. No. 14/319,765 dated Nov. 25, 2014.
Official Communication for U.S. Appl. No. 14/319,765 dated Feb. 4, 2015.
Official Communication for U.S. Appl. No. 14/326,738 dated Dec. 2, 2014.
Official Communication for U.S. Appl. No. 14/326,738 dated Jul. 31, 2015.
Official Communication for U.S. Appl. No. 14/326,738 dated Mar. 31, 2015.
Official Communication for U.S. Appl. No. 14/451,221 dated Oct. 21, 2014.
Official Communication for U.S. Appl. No. 14/463,615 dated Nov. 13, 2014.
Official Communication for U.S. Appl. No. 14/463,615 dated May 21, 2015.
Official Communication for U.S. Appl. No. 14/463,615 dated Jan. 28, 2015.
Official Communication for U.S. Appl. No. 14/479,863 dated Dec. 26, 2014.
Official Communication for U.S. Appl. No. 14/483,527 dated Jan. 28, 2015.
Official Communication for U.S. Appl. No. 14/490,612 dated Aug. 18, 2015.
Official Communication for U.S. Appl. No. 14/490,612 dated Jan. 27, 2015.
Official Communication for U.S. Appl. No. 14/490,612 dated Mar. 31, 2015.
Official Communication for U.S. Appl. No. 14/504,103 dated Mar. 31, 2015.
Official Communication for U.S. Appl. No. 14/504,103 dated Feb. 5, 2015.
Official Communication for U.S. Appl. No. 14/571,098 dated Mar. 11, 2015.
Official Communication for U.S. Appl. No. 14/631,633 dated Sep. 10, 2015.
Official Communication for U.S. Appl. No. 14/731,312 dated Apr. 14, 2016.
Official Communication for U.S. Appl. No. 14/813,749 dated Sep. 28, 2015.
Official Communication for U.S. Appl. No. 14/816,748 dated Apr. 1, 2016.
Official Communication for U.S. Appl. No. 14/816,748 dated May 24, 2016.
Official Communication for U.S. Appl. No. 14/823,935 dated Dec. 4, 2015.
Official Communication for U.S. Appl. No. 14/923,712 dated Feb. 12, 2016.
Official Communication for U.S. Appl. No. 14/970,317 dated Mar. 21, 2016.
Official Communication for U.S. Appl. No. 14/982,699 dated Mar. 25, 2016.
Official Communication for U.S. Appl. No. 15/071,064 dated Jun. 16, 2016.
Official Communication for U.S. Appl. No. 15/253,717 dated Dec. 1, 2016.
Restriction Requirement for U.S. Appl. No. 13/839,026 dated Apr. 2, 2015.
“A Word About Banks and the Laundering of Drug Money,” Aug. 18, 2012, http://www.golemxiv.co.uk/2012/08/a-word-about-banks-and-the-laundering-of-drug-money/.
“Money Laundering Risks and E-Gaming: A European Overview and Assessment,” 2009, http://www.cf.ac.uk/socsi/resources/Levi_Final_Money_Laundering_Risks_egaming.pdf.
“Potential Money Laundering Warning Signs,” snapshot taken 2003, https://web.archive.org/web/20030816090055/http:/finsolinc.com/ANTI-MONEY%20LAUNDERING%20TRAINING%20GUIDES.pdf.
“Using Whois Based Geolocation and Google Maps API for Support Cybercrime Investigations,” http://wseas.us/e-library/conferences/2013/Dubrovnik/TELECIRC/TELECIRC-32.pdf.
Alfred, Rayner “Summarizing Relational Data Using Semi-Supervised Genetic Algorithm-Based Clustering Techniques”, Journal of Computer Science, 2010, vol. 6, No. 7, pp. 775-784.
Bhosale, Safal V., “Holy Grail of Outlier Detection Technique: A Macro Level Take on the State of the Art,” International Journal of Computer Science & Information Technology, Aug. 1, 2014, retrieved from http://www.ijcsit.com/docs/Volume5/vol5issue04/ijcsit20140504226.pdf retrieved May 3, 2016.
Golmohammadi et al., “Data Mining Applications for Fraud Detection in Securities Market,” Intelligence and Security Informatics Conference (EISIC), 2012 European, IEEE, Aug. 22, 2012, pp. 107-114.
Gu et al., “BotMiner: Clustering Analysis of Network Traffice for Protocol-and-Structure-Independent Botnet Detection,” USENIX Security Symposium, 2008, 17 pages.
Hodge et al., “A Survey of Outlier Detection Methodologies,” Artificial Intelligence Review, vol. 22, No. 2, Oct. 1, 2004.
Keylines.com, “An Introduction to KeyLines and Network Visualization,” Mar. 2014, http://keylines.com/wp-content/uploads/2014/03/KeyLines-White-Paper.pdf downloaded May 12, 2014 in 8 pages.
Keylines.com, “KeyLines Datasheet,” Mar. 2014, http://keylines.com/wp-content/uploads/2014/03/KeyLines-datasheet.pdf downloaded May 12, 2014 in 2 pages.
Keylines.com, “Visualizing Threats: Improved Cyber Security Through Network Visualization,” Apr. 2014, http://keylines.com/wp-content/uploads/2014/04/Visualizing-Threats1.pdf downloaded May 12, 2014 in 10 pages.
Li et al., “Identifying the Signs of Fraudulent Accounts using Data Mining Techniques,” Computers in Human Behavior, vol. 28, No. 3, Jan. 16, 2012.
Ngai et al., “The Application of Data Mining Techniques in Financial Fraud Detection: A Classification Frameworok and an Academic Review of Literature,” Decision Support Systems, Elsevier Science Publishers, Amsterdam, Netherlands, vol. 50, No. 3, Feb. 1, 2011.
Nolan et al., “MCARTA: A Malicious Code Automated Run-Time Analysis Framework,” Homeland Security (HST) 2012 IEEE Conference on Technologies for, Nov. 13, 2012, pp. 13-17.
Perdisci et al., “Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces,” USENIX, Mar. 18, 2010, pp. 1-14.
Quartert FS “Managing Business Performance and Detecting Outliers in Financial Services,” Oct. 16, 2014, retrieved from https://quartetfs.com/images/pdf/white-papers/Quartet_FS_White_Paper_-_ActivePivot_Sentinel.pdf retrieved on May 3, 2016.
Quartert FS “Resource Center,” Oct. 16, 2014, retrieved from https://web.archive.org/web/20141016044306/http://quartetfs.com/resource-center/white-papers retrieved May 3, 2016.
Shah, Chintan, “Periodic Connections to Control Server Offer New Way to Detect Botnets,” Oct. 24, 2013 in 6 pages, http://www.blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-new-way-to-detect-botnets.
Shi et al., “A Scalable Implementation of Malware Detection Based on Network Connection Behaviors,” 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, IEEE, Oct. 10, 2013, pp. 59-66.
Symantec Corporation, “E-Security Begins with Sound Security Policies,” Announcement Symantec, Jun. 14, 2001.
Wiggerts, T.A., “Using Clustering Algorithms in Legacy Systems Remodularization,” Reverse Engineering, Proceedings of the Fourth Working Conference, Netherlands, Oct. 6-8, 1997, IEEE Computer Soc., pp. 33-43.
Notice of Allowance for U.S. Appl. No. 14/139,628 dated Jun. 24, 2015.
Notice of Allowance for U.S. Appl. No. 14/139,640 dated Jun. 17, 2015.
Notice of Allowance for U.S. Appl. No. 14/139,713 dated Jun. 12, 2015.
Notice of Allowance for U.S. Appl. No. 14/264,445 dated May 14, 2015.
Notice of Allowance for U.S. Appl. No. 14/278,963 dated Sep. 2, 2015.
Notice of Allowance for U.S. Appl. No. 14/323,935 dated Oct. 1, 2015.
Notice of Allowance for U.S. Appl. No. 14/473,552 dated Jul. 24, 2015.
Notice of Allowance for U.S. Appl. No. 14/473,860 dated Feb. 27, 2015.
Notice of Allowance for U.S. Appl. No. 14/473,860 dated Jan. 5, 2015.
Notice of Allowance for U.S. Appl. No. 14/486,991 dated May 1, 2015.
Notice of Allowance for U.S. Appl. No. 14/579,752 dated Apr. 4, 2016.
Notice of Allowance for U.S. Appl. No. 14/616,080 dated Apr. 2, 2015.
Official Communication for European Patent Application No. 14159535.5 dated May 22, 2014.
Official Communication for European Patent Application No. 15155845.9 dated Oct. 6, 2015.
Official Communication for European Patent Application No. 15156004.2 dated Aug. 24, 2015.
Official Communication for European Patent Application No. 15175151.8 dated Nov. 25, 2015.
Official Communication for European Patent Application No. 15175171.8 dated Nov. 25, 2015.
Official Communication for European Patent Application No. 15180515.7 dated Dec. 14, 2015.
Official Communication for European Patent Application No. 15193287.8 dated Apr. 1, 2016.
Official Communication for European Patent Application No. 15201727.3 dated May 23, 2016.
Official Communication for European Patent Application No. 15202090.5 dated May 13, 2016.
Official Communication for European Patent Application No. 16183052.6 dated Dec. 12, 2016.
Official Communication for Great Britain Patent Application No. 1404457.2 dated Aug. 14, 2014.
Official Communication for Netherlands Patent Application No. 2012433 dated Mar. 11, 2016.
Official Communication for U.S. Appl. No. 14/139,628 dated Jan. 5, 2015.
Official Communication for U.S. Appl. No. 14/139,640 dated Dec. 15, 2014.
Official Communication for U.S. Appl. No. 14/139,713 dated Dec. 15, 2014.
Official Communication for U.S. Appl. No. 14/251,485 dated Oct. 1, 2015.
Official Communication for U.S. Appl. No. 14/264,445 dated Apr. 17, 2015.
Official Communication for U.S. Appl. No. 14/278,963 dated Jan. 30, 2015.
Official Communication for U.S. Appl. No. 14/323,935 dated Jun. 22, 2015.
Official Communication for U.S. Appl. No. 14/323,935 dated Nov. 28, 2014.
Official Communication for U.S. Appl. No. 14/323,935 dated Mar. 31, 2015.
Official Communication for U.S. Appl. No. 14/473,552 dated Feb. 24, 2015.
Official Communication for U.S. Appl. No. 14/473,860 dated Nov. 4, 2014.
Official Communication for U.S. Appl. No. 14/486,991 dated Mar. 10, 2015.
Official Communication for U.S. Appl. No. 14/518,757 dated Dec. 1, 2015.
Official Communication for U.S. Appl. No. 14/518,757 dated Apr. 2, 2015.
Official Communication for U.S. Appl. No. 14/518,757 dated Jul. 20, 2015.
Official Communication for U.S. Appl. No. 14/579,752 dated Aug. 19, 2015.
Official Communication for U.S. Appl. No. 14/579,752 dated May 26, 2015.
Official Communication for U.S. Appl. No. 14/579,752 dated Dec. 9, 2015.
Official Communication for U.S. Appl. No. 14/581,920 dated Mar. 1, 2016.
Official Communication for U.S. Appl. No. 14/581,920 dated Jun. 13, 2016.
Official Communication for U.S. Appl. No. 14/581,920 dated May 3, 2016.
Official Communication for U.S. Appl. No. 14/639,606 dated Oct. 16, 2015.
Official Communication for U.S. Appl. No. 14/639,606 dated May 18, 2015.
Official Communication for U.S. Appl. No. 14/639,606 dated Jul. 24, 2015.
Official Communication for U.S. Appl. No. 14/639,606 dated Apr. 5, 2016.
Official Communication for U.S. Appl. No. 14/698,432 dated Jun. 3, 2016.
Official Communication for U.S. Appl. No. 14/726,353 dated Mar. 1, 2016.
Official Communication for U.S. Appl. No. 14/726,353 dated Sep. 10, 2015.
Official Communication for U.S. Appl. No. 14/857,071 dated Mar. 2, 2016.
Official Communication for U.S. Appl. No. 15/072,174 dated Jun. 1, 2016.
Restriction Requirement for U.S. Appl. No. 14/857,071 dated Dec. 11, 2015.
Office Action for European Patent Application No. 15193287.8 dated Oct. 19, 2017.
Official Communication for European Patent Application No. 14200246.8 dated Oct. 19, 2017.
Official Communication for European Patent Application No. 14200246.8 dated May 29, 2015.
Official Communication for European Patent Application No. 18202651.8 dated Nov. 16, 2018.
Official Communication for U.S. Appl. No. 15/378,567 dated Jun. 30, 2017.
Official Communication for U.S. Appl. No. 15/419,718 dated Aug. 14, 2017.
Official Communication for U.S. Appl. No. 15/419,718 dated Oct. 17, 2017.
Official Communication for U.S. Appl. No. 15/378,567 dated Feb. 14, 2018.
Official Communication for U.S. Appl. No. 15/419,718 dated Jun. 6, 2018.
Official Communication for European Patent Application No. 18200706.2 dated Feb. 18, 2019.
Official Communication for European Patent Application No. 18202157.6 dated Dec. 11, 2018.
Official Communication for U.S. Appl. No. 16/148,241 dated Feb. 7, 2019.
Related Publications (1)
Number Date Country
20170187739 A1 Jun 2017 US
Provisional Applications (1)
Number Date Country
62202104 Aug 2015 US
Continuations (2)
Number Date Country
Parent 15253717 Aug 2016 US
Child 15459872 US
Parent 15072174 Mar 2016 US
Child 15253717 US