| CPC H04L 63/1433 (2013.01) [G06F 40/30 (2020.01); H04L 63/0236 (2013.01); H04L 63/1441 (2013.01); H04L 63/145 (2013.01)] | 15 Claims |
|
1. A computerized method for detecting a zero-shot cyberthreat comprising:
obtaining an electronic message;
parsing the electronic message into components including body and subject line information, wherein the electronic message is parsed into components including the body and subject line information and header information;
performing a pre-filtering analysis on the header information of the electronic message including a set of operations, wherein failing to meet a criteria of one of the set of operations results in the electronic being further analyzed as part of the cyberthreat detection process, and wherein meeting the criteria of each of the set of operations results in the electronic message bypassing further analysis as part of the cyberthreat detection process, wherein the set of operations includes:
detecting the electronic message does not include an attachment,
detecting the electronic message does not a call-to-action uniform resource locator (URL) in the body and subject line information,
determining that the electronic message was automatically generated by a known entity based on a sender's email address and detecting that the known entity is present on a predetermined allow-list,
detecting that the body and subject line information is provided in a specified language,
identifying a number of images attached to or included in the email meets or exceeds a threshold number of images,
detecting that a size of one or more of the images, individually or in combination, meets or exceeds a size threshold, or
identifying a file extension type of an attachment of the email and detecting that the file extension type is present on a predefined allow-list;
determining a likelihood probability that the electronic message is directed to one of a predefined set of topics by deploying a probabilistic generative model, wherein the electronic message has a likelihood probability of being directed to a first topic of at least a first threshold;
generating a prompt for a language model based on the first topic;
providing the prompt and the body and subject line information of the electronic message to the language model;
generating a semantic result based on a response to the prompt from the language model;
classifying, by a relationship compiler or a neural network, the electronic message as malicious or benign based on the semantic result; and
generating a graphical user interface display that indicates whether the electronic message has been classified as malicious or benign.
|