Abstract: We attack software keylogging in a user's computer. We use a device driver (“Phlog”) that sits as close to the hardware controller as possible. It interacts with an antiphishing plug-in to a browser, that was described in our earlier inventions. When the plug-in validates a web page with a Notphish tag and a special field, then it contacts Phlog and has Phlog send it directly the key clicks. Bypassing any keylogging listening for those clicks. Our method can also be used against malware using mouse clicks as triggers for screen scraping.

Abstract: We have a method of making a Web Service and a website, which we call a Silo, that lets a sender upload a file (or directory) of arbitrary size, that she wants distributed electronically to one or more recipients. The uploading can be done via a standard web browser. The Silo associates a token with that file and gives that to the sender. The token is some random bit sequence. The sender can then send that token and the Silo's URL, to her recipients. Who can then use a browser to go to that Silo, present the token, and get the file. A simple usage for sender and recipient. It lets the sender compartmentalize access to various files, and avoids the limitations of using email or ftp to transfer the files. E-commerce can be enabled by having the Silo act as a recognized financial intermediary, and by the sender selling items. With a recipient paying the Silo, who acts as an escrow. The seller can also conduct public or private auctions, using the Silo to host them.

Abstract: A variant of phishing involves subverting an Internet access point, often used for mobile computing. Malware can route user requests for bank websites into a phisher's private network, with fake bank websites (pharming). The user can have a “mobile password” at the bank. When she connects from an access point, she sends a hash, found from the password, starting at some position in it. The bank returns a hash, found from the same password, starting at another position in it. Each can verify the other. We protect both from a man in the middle attack. By hashing a web page and the mobile password, and inserting the hash into the page that is sent, the recipient can verify that the page is untampered. We use an anonymizer, external to the access point. A user pre-establishes a password with the anonymizer. At the access point, she and the anonymizer use a zero knowledge protocol to verify each other, based on the password. Then, the password encrypts communication between them.

Abstract: We show how a Network Service Provider (NSP) can detect if any of its customers are involved in malware. Like spamming or phishing. This involves the NSP's router performing a sampled packet analysis of outgoing and incoming messages. And combining this with our earlier methods for detecting spammer domain clusters (swarms) or phishing. Our method lets an NSP quickly shut down spammer customers, and reduces the risk that it and its innocent customers get blacklisted by other NSPs and ISPs. We use static and dynamic blacklists in the detection of spam/bulk messages in a message stream. Also, we use 3 sets of Bulk Message Envelopes (BMEs). A static set, which might be found from an Aggregation Center. A dynamic blacklisted BME set, which comes from messages hit by our blacklists. And a dynamic BME set that “good” bulk messages are put into. In tests, our method has programatically and consistently detected around 80% of sets of email messages as bulk/spam.

Abstract: We investigate phishing web sites, by finding domain clusters using our antispam methods, from both phishing and non-phishing messages. We can find related web sites and analyze these for possible phishing. This can be done at an ISP, or by an analysis company, or in an appliance. We extend our anti-phishing tag, to let senders send personalized messages to a few recipients, where the messages have links or text to be validated in a lightweight fashion. The functionality of plug-ins is extended to let the user indicate that a web page or message is fraudulent, and to upload this to an Aggregator. An Aggregator can have a hierarchy of subAggregators, that validate companies, and act to distribute the workload from plug-ins. Messages and web pages without our tag can be classified. A company publishes a Restricted List of its pages containing sensitive operations, like user login. This information can be used by an ISP or plug-in against links or text in a message or web page.

Abstract: Search engine click fraud can be combated by a new Click Per Action method. This uses a plug-in in a browser to detect when a transaction has occurred at an advertiser's website. Here the user was directed to that advertiser by a link on a search engine's web page. Since the plug-in is independent of the advertiser, it greatly reduces the danger to the search engine that the advertiser will underreport the number and amount of transactions that were sent to it from the search engine. While the avoidance of the current Cost Per Click method reduces the click fraud suffered by current advertisers. The method can be deployed incrementally, and in conjunction with existing CPC methods.

Abstract: We show how to use a browser plug-in and a central Registrar server, to let users send registered or validated electronic messages in a lightweight manner, without using computationally expensive Public Key Infrastructure methods. To users, it is analogous to post office certified or registered mail. Our method can be done if the users, as senders and recipients, are at major ISPs, who have web pages for writing and reading messages, whose structure is known or can be found by the plug-in. Our method does not need the involvement of the ISPs, though that would facilitate some operations.

Abstract: From an electronic message, we extract any destinations in selectable links, and we reduce the message to a “canonical” (standard) form that we define. It minimizes the possible variability that a spammer can introduce, to produce unique copies of a message. We then make multiple hashes. These can be compared with those from messages received by different users to objectively find bulk messages. From these, we build hash tables of bulk messages and make a list of destinations from the most frequent messages. The destinations can be used in a Real time Blacklist (RBL) against links in bodies of messages. Similarly, the hash tables can be used to identify other messages as bulk or spam. Our method can be used by a message provider or group of users (where the group can do so in a p2p fashion) independently of whether any other provider or group does so. Each user can maintain a “gray list” of bulk mail senders that she subscribes to, to distinguish between wanted bulk mail and unwanted bulk mail (spam).

Abstract: We show how to compute useful and robust metrics for a Bulk Message Envelope. These metrics are based on whether recipients of messages read them, and if so, whether they click on any links in those messages, or perform other allowed actions, and optionally the time order in which they perform these actions. We call these metrics a MessageRank, and show how these can be used by a message provider, like an ISP, to give more information to recipients, who can then form ad hoc groups (transient social networks) to assess a common BME and its sender. Users can also use their collective decision making to classify incoming messages. A message provider can offer these as value added services, to increase its attractiveness to its users, relative to other message providers that do not do so. We also show how to detect spammer probe accounts. These are used by spammers on large message providers, to craft messages that can pass through the providers' antispam filters.

Abstract: We show how a spammer can use a programming language inside an electronic message to make a dynamic hyperlink, instead of a standard static hyperlink. She can use this to obfuscate her domain, against antispam methods that extract those domains to compare against a blacklist. Plus, she can create sacrificial messages with “infinite” loops and intersperse these with her other messages, with obscured dynamic hyperlinks, but lacking infinite loops. We show how to handle both cases, to be able to extract valid hyperlinks from the latter messages and use these in the construction of, or a comparison against, a blacklist.

Abstract: We describe a method of computing language-independent metrics (which we term “HideMe” and “HideAll”) to associate with selectable domains in electronic messages. We apply these as indicators as to whether a sender address is false, using a graph which we call a Cloaking Diagram. The metrics and the graph can be used to autoclassify domains involved in the transmission of bulk messages, according to the extent that the domains appear to be forging sender addresses and the extent that the domains appear to be acting as distributors of messages pointing to other domains. Also, we present a method of using a graphical analysis of metadata found from one set of electronic messages, or from two such sets, that reveals groupings or correlations between metadata. These groupings can be used to assign an entire group to a same category. It permits for an efficient determination of spam domains. It attacks the economics of spammers making and selling mailing lists to other spammers.

Abstract: We describe what we mean by styles, and show how these can be extracted from electronic messages. We describe the special and important case of email. We show how styles can be used to detect possible spam in a group of messages. We give details of many styles. These are independent of any particular human language in which an electronic message might be written. We show how the use of Bulk Message Envelopes leads to effective styles. We show one usage in distinguishing between newsletters and non-newsletters in bulk messages. Social networks can also be made, with useful marketing and other commercial applications. Styles can also be made to characterize correlations between messages in different electronic communication spaces, like email, SMS, Instant Messaging, Web pages, and Web Services.

Abstract: From a set of electronic messages, we describe how to use Bulk Message Envelopes (BMEs), each of which collects together closely related or identical messages, to extract metadata. The types of metadata depend on the modality of the messages. For email, these include domain, hash, style, relay and user address. We find clusters in each of these spaces, where the making of the clusters is the same, regardless of the space. The clusters can be used to reveal associations between different elements of that space, where these associations may not be apparent from a simple consideration of the individual, original messages. Specifically, domain clusters can be used to make or augment a Real time Blocking List (RBL), where the domains are found from links in the bodies of the messages. Large RBLs can be easily constructed, in an automated or near-automated fashion; aiding in antispam and antiphishing efforts.

Abstract: A method of computerized language instruction for a student. Based on data regarding past performance of the student, an adjustable speech recognizer is adjusted. An utterance is received from the student, and the utterance is processed using the adjusted adjustable speech recognizer. The adjustable speech recognizer may comprise an Automatic Speech Recognition (ASR) engine. A set of contexts is created. Each context includes a set of words and utterances selected to allow recognition of the words and utterances by a speech recognizer. For each context, a set of subcontexts is created. Each subcontext includes the words and utterances of the context and selected mispronunciations or misarticulations of the words and utterances of the context. Recursively passing a portion of a received utterance to an ASR engine is described.