David K Pon, Age 521824 Arlington Blvd, Richmond, CA 94530

2022030, Sep 22, 2022

Jun 12, 2022

17/838241

- Redmond WA, US
Jonas EDGEWORTH - San Francisco CA, US
Chris KIERNAN - San Francisco CA, US
David PON - Sunnyvale CA, US
Elias MANOUSOS - San Francisco CA, US

G06F 40/143
G06F 16/958
G06F 40/205
G06F 40/14
H04L 9/32

Techniques are disclosed for analyzing documents to detect web components and the web frameworks in the documents. In at least one embodiment, a network analysis system is provided to passively detect web frameworks of documents. The network analysis system can render a document using a document object model to identify objects in the document that are defined as web components. A hash function may be applied to each of the objects to generate a hash signature for the object. Files defining web frameworks can be downloaded from a repository system. Each file may corresponding to a web component. A hash function is applied content in each file to generate a hash signature. The hash signatures of each file may be compared to the hash signatures of the objects in the document to identify a web component for each object. A web framework can be identified based on the web components.

2021031, Oct 7, 2021

Jun 21, 2021

17/353641

- San Francisco CA, US
Jonas Edgeworth - San Francisco CA, US
Chris Kiernan - San Francisco CA, US
Elias Manousos - San Francisco CA, US
David Pon - Sunnyvale CA, US

H04L 29/06
G06F 21/51
G06F 21/56
H04L 12/24

Embodiments of the present disclosure are directed to a network analytic system for tracking and analysis of network infrastructure for network-based digital assets. The network analytic system can detect and track a relationship between assets based on one or more attributes related or shared between any given assets. The network analytic system can analyze network-based digital assets to determine information about a website (e.g., information about electronic documents, such as web pages) that has be used to detect phishing and other abuse of the website. The network analytic system can analyze data about network-based assets to determine whether any are being used or connected to use of unauthorized or malicious activity or known network-based assets. Based on the relationship identified, the network analytic system can associate or link assets together. The network analytic system may provide an interface to view data sets generated by the network analytic system.

2021011, Apr 15, 2021

Dec 22, 2020

17/131620

- San Francisco CA, US
Jonas Edgeworth - San Francisco CA, US
Chris Kiernan - San Francisco CA, US
David Pon - Sunnyvale CA, US
Elias Manousos - San Francisco CA, US

G06F 40/14
G06F 16/958
G06F 40/205
H04L 9/32

Techniques are disclosed for analyzing documents to detect web components and the web frameworks in the documents. In at least one embodiment, a network analysis system is provided to passively detect web frameworks of documents. The network analysis system can render a document using a document object model to identify objects in the document that are defined as web components. A hash function may be applied to each of the objects to generate a hash signature for the object. Files defining web frameworks can be downloaded from a repository system. Each file may corresponding to a web component. A hash function is applied content in each file to generate a hash signature. The hash signatures of each file may be compared to the hash signatures of the objects in the document to identify a web component for each object. A web framework can be identified based on the web components.

2020020, Jun 25, 2020

Mar 3, 2020

16/808182

- San Francisco CA, US
David Pon - Sunnyvale CA, US
Chris Kiernan - San Francisco CA, US
Ben Adams - San Ramos CA, US
Jonas Edgeworth - San Francisco CA, US
Elias Manousos - San Francisco CA, US

H04L 29/06
H04L 29/08
H04L 9/32
G06F 21/12

Embodiments of the present invention are directed to identifying phishing websites by rendering and analyzing document object model (DOM) objects associated with a website for features that indicate phishing behavior. Embodiments analyze the full scope and functionality associated with a website by executing functions embedded in a DOM object before analyzing the website for phishing activity. Accordingly, embodiments render and analyze a fully executed DOM object for phishing behavior. Embodiments may then perform steps to mediate a website that is classified as performing phishing. Thus, embodiments are configured to (1) collect website information from a variety of websites and web servers connected to the internet, (2) analyze the collected data to determine whether the website information is performing phishing, and (3) mediate websites and other actors that are determined to be performing phishing based on the results of the phishing analysis.

2020012, Apr 16, 2020

Dec 10, 2019

16/709898

- San Francisco CA, US
Joseph Linn - Emeryville CA, US
Nick Goodman - San Mateo CA, US
Elias Manousos - San Francisco CA, US
Chris Kiernan - San Francisco CA, US
David Pon - Sunnyvale CA, US
Jonas Edgeworth - San Francisco CA, US

RISKIQ, Inc. - San Francisco CA

H04L 29/06
G06F 16/2457
G06F 16/955
G06F 16/951

The present disclosure generally relates to web page analysis, and more particularly to detecting malicious behavior using an accomplice model. In certain embodiments, the accomplice model may determine that a URI is associated with malicious behavior based upon the URI being associated with an attribute determined to be related to malicious behavior. Examples of an attribute include a host system, a domain, or an element of a document used to render the web page. Examples of an element of a document used to render the web page may include an active/dynamic element (e.g., a function, a script, etc.) or an inactive/static element (e.g., a string, a number, a frame, a tracking username, a social networking username, etc.).

2019033, Oct 31, 2019

Jul 9, 2019

16/506968

- San Francisco CA, US
Jonas Edgeworth - San Francisci CA, US
Chris Kiernan - San Francisco CA, US
David Pon - Sunnyvale CA, US
Elias Manousos - San Francisco CA, US

G06F 17/22
G06F 16/958
G06F 17/27
H04L 9/32

Techniques are disclosed for analyzing documents to detect web components and the web frameworks in the documents. In at least one embodiment, a network analysis system is provided to passively detect web frameworks of documents. The network analysis system can render a document using a document object model to identify objects in the document that are defined as web components. A hash function may be applied to each of the objects to generate a hash signature for the object. Files defining web frameworks can be downloaded from a repository system. Each file may corresponding to a web component. A hash function is applied content in each file to generate a hash signature. The hash signatures of each file may be compared to the hash signatures of the objects in the document to identify a web component for each object. A web framework can be identified based on the web components.

2019002, Jan 24, 2019

Sep 25, 2018

16/141917

- San Francisco CA, US
David Pon - Sunnyvale CA, US
Chris Kiernan - San Francisco CA, US
Ben Adams - San Ramon CA, US
Jonas Edgeworth - San Francisco CA, US
Elias Manousos - San Francisco CA, US
Joseph Linn - Emeryville CA, US

H04L 29/06
G06F 17/30
G06F 21/12
H04L 9/32

Embodiments are directed to using a hash signature of a rendered DOM object of a website to find similar content and behavior on other websites. Embodiments break a DOM into a large number of data portions (i.e., “shingles”), apply a hashing algorithm to the shingles, select a predetermined number of hashes from the hashed shingles according to a selection criteria to create a hash signature, and compare the hash signature to that of a reference page to determine similarity of website DOM object content. Embodiments can be used to identify phishing websites, defaced websites, spam websites, significant changes in the content of a webpage, copyright infringement, and any other suitable purposes related to the similarity between website DOM object content.

2018012, May 3, 2018

Nov 1, 2017

15/801247

- San Francisco CA, US
Joseph Linn - Emeryville CA, US
Elias Manousos - San Francisco CA, US
Chris Kiernan - San Francisco CA, US
David Pon - Sunnyvale CA, US
Jonas Edgeworth - San Francisco CA, US
Steven Alexander Daniel Pon - El Cerrito CA, US

RiskIQ, Inc. - San Francisco CA

H04L 29/06
G06F 17/30
G06F 17/22
G06K 9/62

The present disclosure generally relates to web page analysis, and more particularly to a classification system for web pages. The classification system may classify a web page as malicious based upon one or more signatures generated for the web page. For example, the classification system may compare one or more signatures generated for a first web page to one or more signatures generated for a second web page, where the first web page and the second web page are the same web page at different times or different web pages. Based upon a similarity of the signatures, the classification system may output whether the first web page is malicious. For another example, the classification system may include a classification model that is trained based upon one or more signatures for one or more classified web pages. The classification model may output whether the web page is malicious.