FIELD OF THE DISCLOSURE
The present disclosure in general relates to detection of fraud and more particularly, to a method
and system for classifying a user for detecting phishing attacks in Short Messaging Service
(SMS) communications.
5 BACKGROUND
Phishing attacks have been escalating day by day, where attackers deceive people into
revealing sensitive information or installing malware such as, without limiting to, ransomware.
Of late, phishing has become the most common type of cybercrime, with many cybercrime
regulatory bodies reporting more incidents of phishing than any other type of digital crime.
10 Smishing is a type of phishing attack that includes attackers sending various types of Short
Messaging Service (SMS) messages to a user, wherein the SMS messages may contain links
to open unsecured websites and prompt the user for login credentials or other personal data.
Smishing attacks target mobile phone users, enticing them with exciting job offers, holiday
offers or lottery prizes, which eventually result in the users revealing confidential information
15 such as, without limiting to, usernames, passwords, credit card or debit card details etc.
Currently, there exist plenty of algorithms and systems for detecting phishing emails,
categorizing them as spam or junk and automatically filtering such emails from the inbox. Such
anti-phishing systems can be easily designed due to the highly secured internet platform, a
number of internet service providers providing secured connections and most importantly due
20 to firewalls installed in every computing device. On the other hand, phishing that occurs
through the telecommunication channels, unfortunately, does not involve such secured
gateways to filter out phishing SMSs, and hence phishing through SMS has been increasing
day by day.
One way to detect phishing attacks may be to classify users as ‘genuine’ or ‘phishing’. Existing
25 user classification methods require huge communication data of the users to classify the users.
However, the existing methods may leave many users unclassified for whom such
communication data is unavailable, thereby resulting in inefficient detection of the phishing
attacks.
Hence, there exists is a need for a system and method to classify a user accurately and
30 efficiently for detecting phishing attacks.
The information disclosed in this background of the disclosure section is only for enhancement
of understanding of the general background of the disclosure and should not be taken as
acknowledgment or any form of suggestion that this information forms prior art already known
to a person skilled in the art.
5 SUMMARY
Disclosed herein is a method for classifying a user for detecting phishing attacks. The method
comprises retrieving communication data associated with a plurality of users from a telecom
server and creating a user relationship model in a database. The user relationship model
comprises a plurality of nodes representing the plurality of users, each node comprises the
10 communication data and an initial reputation score. The method comprises determining one or
more senders to the user from the user relationship model and determining a subset of senders
based on the initial reputation score of each of the one or more senders. The method comprises
updating the user relationship model at least by updating the initial reputation score of the user
based on the communication data of each of the subset of senders and classifying the user as
15 one of ‘genuine’ and ‘phishing’ based on the updated user relationship model.
Further disclosed herein is a system for classifying a user for detecting phishing attacks,
comprising a memory and a processor communicatively coupled with each other. The
processor is configured to retrieve communication data associated with a plurality of users from
a telecom server and creates a user relationship model in a database. The user relationship
20 model comprises a plurality of nodes representing the plurality of users, each node comprises
the communication data and an initial reputation score. The processor is configured to
determine one or more senders to the user from the user relationship model and determine a
subset of senders based on the initial reputation score of each of the one or more senders. The
processor is configured to update the user relationship model at least by updating the initial
25 reputation score of the user based on the communication data of each of the subset of senders
and classify the user as one of ‘genuine’ and ‘phishing’ based on the updated user relationship
model.
The foregoing summary is illustrative only and is not intended to be in any way limiting. In
addition to the illustrative aspects, embodiments, and features described above, further aspects,
30 embodiments, and features will become apparent by reference to the drawings and the
following detailed description.

We claim:
1. A method for classifying a user for detecting phishing attacks, the method
comprising:
5 retrieving, by a processor, communication data associated with a plurality of
users from a telecom server;
creating a user relationship model, by the processor, in a database, the user
relationship model comprising a plurality of nodes representing the plurality of
users, wherein each of the plurality of nodes comprising at least the communication
10 data and an initial reputation score;
determining, by the processor, one or more senders to the user from the user
relationship model;
determining, by the processor, a subset of senders based on the initial
reputation score of each of the one or more senders;
15 updating, by the processor, the user relationship model at least by updating
the initial reputation score of the user based on the communication data of each of
the subset of senders and
classifying, by the processor, the user as one of ‘genuine’ and ‘phishing’
based on the updated user relationship model.
20
2. The method of claim 1, wherein creating the user relationship model further
comprising:
generating the plurality of nodes indicating the plurality of users, wherein
each of the plurality of nodes comprising an identifier of a Subscriber Identity
25 Module (SIM) or an Application to Person (A2P) header associated with each of the
plurality of users, the communication data and the initial reputation score associated
with each of the plurality of users;
determining one or more users sending at least one message to the user as the
one or more senders to the user and creating a sender connection between the user
30 and each of the one or more senders; and
determining one or more users receiving at least one message from the user
as one or more recipients from the user and creating a recipient connection between
the user and each of the one or more recipients.
3. The method of claim 1, wherein the initial reputation score is evaluated based on one
or more reputation parameters comprising at least one of a count of messages
received by the user, a count of messages transmitted by the user, and a count of
messages received from a ‘genuine’ sender.
5
4. The method of claim 1, wherein determining the subset of the one or more senders
comprising:
classifying each of the one or more senders as one of a ‘genuine’ sender and
a ‘phishing’ sender based on the corresponding initial reputation score of the one or
10 more senders; and
grouping one or more ‘genuine’ senders as the subset of the one or more
senders.
5. The method of claim 1, wherein updating the initial reputation score of the user
15 comprising:
evaluating a first update factor at least based on the reputation score of each
of the subset of senders, a count of messages received from each of the subset of
senders, a count of messages transmitted by the user and a count of messages
received by the user, wherein the first update factor indicating a propagation of
20 reputation from the one or more senders to the user; and
updating the initial reputation score of the user based on the first update factor.
6. The method of claim 1, wherein updating the user relationship model further
comprising updating the initial reputation score of the one or more senders by:
25 classifying the user as one of a ‘genuine’ user or a ‘phishing’ user based on
the initial reputation score;
generating a second update factor for each of the one or more senders upon
classifying the user as the ‘phishing’ user, wherein the second update factor is
generated at least based on the reputation score of the user, a count of messages
30 received by the user from each of the one or more senders, a count of messages
transmitted by each of the one or more senders and a count of messages received by
each of the one or more senders, wherein the second update factor indicating a
propagation of the reputation of the user to the one or more senders; and updating the reputation score of each of the one or more senders to an updated
sender reputation score, based on the second update factor generated for each of the
one or more senders.
5 7. The method of claim 2, wherein updating the user relationship model further
comprising updating an initial reputation score of the one or more recipients by:
classifying the user as one of a ‘genuine’ user or a ‘phishing’ user based on
the initial reputation score of the user;
upon classifying the user as the ‘genuine’ user, classifying each of the one or
10 more recipients as one of a ‘genuine’ recipient and a ‘phishing’ recipient based on
the initial reputation scores of the one or more recipients;
grouping one or more ‘genuine’ recipients as a subset of recipients;
generating a third update factor for each of the subset of recipients at least
based on the initial reputation score of the subset of recipients, a count of messages
15 received by the subset of recipients from the user, a count of messages transmitted
by the subset of recipients and a count of messages received by the subset of
recipients; and
updating the initial reputation score of each of the subset of recipients to an
updated recipient reputation score based on the third update factor.
20
8. The method of claim 1, further comprising:
classifying each of the plurality of users as one of a ‘genuine’ user or a
‘phishing’ user based on the updated user relationship model;
dynamically blocking routing of one or more messages received from a SIM
25 associated with each of one or more ‘phishing’ users by:
generating a blocking notification for blocking the routing, wherein the
blocking notification comprising the identifier of the SIM, the one or more
messages received from the SIM and the updated reputation score of the
‘phishing’ user the SIM is associated with; and
30 transmitting the blocking notification to the telecom server to block the
one or more messages sent from the SIM.
9. The method of claim 1, further comprising:
retrieving the communication data associated with the plurality of users from
the telecom server at predetermined time intervals; and
generating a first update factor, a second update factor and a third update
factor at pre-determined time intervals; and
5 updating the initial reputation scores of the plurality of users based on the
first update factor, the second update factor and the third update factor thus
generated.
10. A system to classify a user for detecting phishing attacks, the system comprising:
10 a memory; and
a processor communicatively coupled with the memory and configured to:
retrieve communication data associated with a plurality of users from a
telecom server;
create a user relationship model in a database, the user relationship model
15 comprising a plurality of nodes representing the plurality of users, wherein each of
the plurality of nodes comprising at least the communication data and an initial
reputation score;
determine one or more senders to the user from the user relationship model;
determine a subset of senders based on the initial reputation score of each of
20 the one or more senders;
update the user relationship model at least by updating the initial reputation
score of the user based on the communication data of each of the subset of the
senders; and
classify the user as one of ‘genuine’ and ‘phishing’ based on the updated user
25 relationship model.
11. The system of claim 10, wherein to create the user relationship model, the processor
is configured to:
generate the plurality of nodes indicating the plurality of users, wherein each
30 of the plurality of nodes comprising an identifier of a Subscriber Identity Module
(SIM) or an Application to Person (A2P) header associated with each of the plurality
of users, the communication data and the initial reputation score associated with each
of the plurality of users;
determine one or more users sending at least one message to the user as the one or more senders to the user and create a sender connection between the user and
each of the one or more senders; and
determine one or more users receiving at least one message from the user as
one or more recipients from the user and creating a recipient connection between the
5 user and each of the one or more recipients.
12. The system of claim 10, wherein the processor is configured to evaluate the initial
reputation score based on one or more reputation parameters comprising at least one
of a count of messages received by the user, a count of messages transmitted by the
10 user, and a count of messages received from a ‘genuine’ sender.
13. The system of claim 10, wherein to determine the subset of the one or more senders,
the processor is configured to:
classify each of the one or more senders as one of a ‘genuine’ sender and a
15 ‘phishing’ sender based on the corresponding initial reputation score of the one or
more senders; and
group one or more ‘genuine’ senders as the subset of the one or more senders.
14. The system of claim 10, wherein to update the initial reputation score of the user, the
20 processor is configured to:
evaluate a first update factor at least based on the reputation score of each of
the subset of senders, a count of messages received from each of the subset of
senders, a count of messages transmitted by the user and a count of messages
received by the user, wherein the first update factor indicating a propagation of
25 reputation from the one or more senders to the user; and
update the initial reputation score of the user based on the first update factor.
15. The system of claim 10, wherein to update the user relationship model, the
processor is further configured to update the initial reputation score of the one or
30 more senders by:
classifying the user as one of a ‘genuine’ user or a ‘phishing’ user based on
the initial reputation score of the user;
generating a second update factor for each of the one or more senders upon
classifying the user as the ‘phishing’ user, wherein the second update factor is generated at least based on the reputation score of the user, a count of messages
received by the user from each of the one or more senders, a count of messages
transmitted by each of the one or more senders and a count of messages received by
each of the one or more senders, wherein the second update factor indicating a
5 propagation of the reputation of the user to the one or more senders; and
updating the reputation score of each of the one or more senders to an updated
sender reputation score, based on the second update factor generated for each of the
one or more senders.
10 16. The system of claim 11, wherein to update the user relationship model, the processor
is further configured to update an initial reputation score of the one or more recipients
by:
classifying the user as one of a ‘genuine’ user or a ‘phishing’ user based on
the initial reputation score of the user;
15 upon classifying the user as the ‘genuine’ user, classifying each of the one or
more recipients as one of a ‘genuine’ recipient and a ‘phishing’ recipient based on
the initial reputation scores of the one or more recipients;
grouping one or more ‘genuine’ recipients as a subset of recipients;
generating a third update factor for each of the subset of recipients at least
20 based on the initial reputation score of the subset of recipients, a count of messages
received by the subset of recipients from the user, a count of messages transmitted
by the subset of recipients and a count of messages received by the subset of
recipients; and
updating the initial reputation score of each of the subset of recipients to an
25 updated recipient reputation score based on the third update factor.
17. The system of claim 10, wherein the processor is further configured to:
classify each of the plurality of users as one of a ‘genuine’ user or a ‘phishing’
user based on the updated user relationship model;
30 dynamically block routing of one or more messages received from a SIM
associated with each of one or more ‘phishing’ users by:
generating a blocking notification for blocking the routing, wherein the
blocking notification comprising the identifier of the SIM, the one or more
messages received from the SIM and the updated reputation score of the ‘phishing’ user the SIM is associated with; and
transmitting the blocking notification to the telecom server to block the
one or more messages sent from the SIM.
5 18. The system of claim 10, wherein the processor is further configured to:
retrieve the communication data associated with the plurality of users from the
telecom server at predetermined time intervals; and
generate a first update factor, a second update factor and a third update factor
at pre-determined time intervals; and
10 update the initial reputation scores of the plurality of users based on the first
update factor, the second update factor and the third update factor thus generated.