Method and system for reducing reporting of non-malicious electronic messages in a cybersecurity system

US 10,027,701 B1
Filed: 08/11/2017
Issued: 07/17/2018
Est. Priority Date: 08/17/2016
Status: Active Grant

First Claim

Patent Images

1. An electronic message analysis system of a cybersecurity network, comprising:

a client computing device comprising a processor, a user interface, and a computer-readable medium storing programming instructions configured to cause a messaging client of the client computing device to;

receive an electronic message from a message origination server via a communications network,receive a user activation action via a user interface of the client computing device that indicates that a user has reported the received message as a potentially malicious message,upon receiving the user activation action, determine whether to report the received message to a remote service for analysis by determining whether the received message originated from a trusted sender,if the client computing device does not determine that the received message originated from a trusted sender, forward the received message to the remote service for analysis, andif the client computing device determines that the received message originated from a trusted sender, enable the user to cause the client computing device to take action on the received message without reporting the received message to the remote service.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client electronic device of an electronic message analysis system receives a user activation action indicating that a user has reported a message received at the client device a potentially malicious. The client device then determines whether to forward the message to a remote service for analysis by assessing whether the received message originated from a trusted sender. If and only if the client device determines that the received message originated from a trusted sender, it will permit the client device to take other action on the received message and not report the received message to a remote service for further analysis. If the client device does not determine that the received message originated from a trusted sender, it will report the received message to a remote service for further analysis.

Citations

21 Claims

1. An electronic message analysis system of a cybersecurity network, comprising:
- a client computing device comprising a processor, a user interface, and a computer-readable medium storing programming instructions configured to cause a messaging client of the client computing device to;
  
  receive an electronic message from a message origination server via a communications network,receive a user activation action via a user interface of the client computing device that indicates that a user has reported the received message as a potentially malicious message,upon receiving the user activation action, determine whether to report the received message to a remote service for analysis by determining whether the received message originated from a trusted sender,if the client computing device does not determine that the received message originated from a trusted sender, forward the received message to the remote service for analysis, andif the client computing device determines that the received message originated from a trusted sender, enable the user to cause the client computing device to take action on the received message without reporting the received message to the remote service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the instructions to determine whether the received message originated from a trusted sender comprise instructions to:
    - determine whether the received message includes a header field that starts with a predetermined key;
      
      if the received message includes a header field that starts with the predetermined key, further analyze that header field to determine whether a value that follows the predetermined key satisfies a first trusted sender rule; and
      
      if the value that follows the predetermined key satisfies the first trusted sender rule, determine that the received message originated from a trusted sender.
  - 3. The method of claim 1, wherein the instructions to determine whether the received message originated from a trusted sender further comprise instructions to:
    - determine whether the received message includes a header field that starts with a predetermined key;
      
      if the received message includes a header field that starts with the predetermined key, further analyze that header field to determine whether a value that follows the predetermined key satisfies a first trusted sender rule; and
      
      if the received message does not include a header field that starts with the predetermined key, or if the value that immediately follows the predetermined key does not satisfy the first trusted sender rule, forward the received message to a remote service and not determine that the received message originated from a trusted sender.
  - 4. The system of claim 2, wherein the instructions for determining whether any header field of a header section of the received message starts with a predetermined key comprise instructions to:
    - retrieve any header field in the header section that is an extension field of the header; and
      
      for each retrieved header field, determine whether the field name of the header field matches the predetermined key.
  - 5. The system of claim 2, wherein the first trusted sender rule comprises a condition that the value match a predetermined known value or a predetermined known format, wherein the predetermined known value and predetermined known format are included in the programming instructions of the client computing device.
  - 6. The system of claim 2, further comprising additional programming instructions that are configured to cause the messaging client of the client computing device to:
    - analyze an additional element of the received message to determine whether the additional element satisfies a second trusted sender rule; and
      
      when the additional element satisfies the second trusted sender rule, conclude that the received message originated from a trusted sender, otherwise send the received message to the remote service for further analysis.
  - 7. The system of claim 6, wherein the second trusted sender rule comprises:
    - a condition that any header field having a FROM fieldname include a value that is associated with a known sender;
      
      a condition that any header field having a domain name include a value that is associated with a known domain;
      
      a condition that any header field having a FROM fieldname include a value that is associated with a known sender, and a condition that any header field that includes a domain have a value that is associated with a known domain;
      
      a condition that a sender policy framework record have been published with a domain corresponding to an Internet protocol address in a header field of the received message;
      
      ora condition that a digital signature for Domain Keys Identified Mail authentication be verified using an authentication protocol of Domain-based Message Authentication, Reporting and Conformance.
  - 8. The system of claim 1, further comprising additional programming instructions that are configured to cause the messaging client of the client computing device to:
    - after receiving the user activation action, quarantine the message while the messaging client determines whether to report the message to the remote service for analysis;
      
      if the messaging client determines that the received message is potentially malicious, delete the message from the client computer device after forwarding the message to the remote service; and
      
      if the messaging client determines that the received message is from a trusted sender, cause the client computing device to display a prompt confirming the received message from the trusted sender and release the received message from quarantine after the user inputs a response to the prompt.
  - 9. The system of claim 1, further comprising additional programming instructions that are configured to cause the messaging client of the client computing device to:
    - determine that the user activation action includes a user indication of an element of the received message that the user has flagged as suspicious;
      
      output a prompt indicating that the received message is from a trusted sender and feedback explaining why the user indication was incorrect; and
      
      prompt the user to confirm whether to report the received message.

10. A method of assessing whether to forward an electronic message received by a client device to a remote service for analysis, the method comprising, by a messaging client of a client computing device:
- receiving an electronic message from a message origination server via a communications network;
  
  receiving a user activation action that indicates that a user has reported the received message as a potentially malicious message;
  
  upon receiving the user activation action, determining whether to report the received message to a remote service for analysis by determining a source of the received message;
  
  if the client computing device determines that the source is a trusted sender, enabling the user to use the client computing device to take action on the received message, and not sending the received message to a remote service for analysis, andif the client computing device does not determines that the source is a trusted sender, sending the received message to the remote service for analysis.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein determining the source of the received message comprises:
    - determining whether any header field of a header section of the received message starts with a predetermined key;
      
      for any header field that starts with the predetermined key, further analyzing that header field to determine whether a value that follows the predetermined key satisfies a first trusted sender rule; and
      
      if the value that follows the predetermined key satisfies the first trusted sender rule, determining that the received message may have originated from the trusted sender.
  - 12. The method of claim 10, further comprising:
    - assigning a class to the received message, wherein the class corresponds to at least one of the following;
      
      trusted from an internal source, trusted from an external source, or untrusted; and
      
      causing the client computing device to output a prompt to the user, wherein the prompt includes the class or information corresponding to the class.
  - 13. The method of claim 10, wherein the step of determining whether any header field of a header section of the received message starts with a predetermined key comprises:
    - retrieving any header field in the header section that is an extension field of the header; and
      
      for each retrieved header field, determining whether the field name of the header field matches the predetermined key.
  - 14. The method of claim 11, wherein the first trusted sender rule comprises one or more of the following:
    - a condition that a value match a predetermined known value, wherein the predetermined known value is included in the programming instructions;
      
      ora condition that the value have a format that matches a predetermined known format, wherein the predetermined known format is included in programming instructions.
  - 15. The method of claim 10, further comprising:
    - analyzing an additional element of the received message to determine whether the additional element satisfies a second trusted sender rule; and
      
      when the additional element satisfies the second trusted sender rule, concluding that the received message originated from a trusted sender, otherwise sending the received message to the remote service for further analysis;
      
      wherein the second trusted sender rule comprises;
      
      a condition that any header field having a FROM fieldname include a value that is associated with a known sender,a condition that any header field having a domain name include a value that is associated with a known domain,a condition that any header field having a FROM fieldname include a value that is associated with a known sender, and a condition that any header field having a domain include a value that is associated with a known domain,a condition that a sender policy framework record have been published with a domain corresponding to an Internet protocol address in a header field of the received message,a condition that the received message include a header field containing a FROM key and a value, and that the value be aligned with one or more attributes of a specific domain using an authentication protocol of Domain-based Message Authentication, Reporting and Conformance (DMARC),a condition that a digital signature in the received message be verified using an authentication protocol of DMARC, ora condition that an element of a body of the received message include an alphanumeric identifier that matches a known identifier or that has a known format.
  - 16. The method of claim 10, further comprising:
    - after receiving the user activation action, quarantining the message while the messaging client determines whether to report the message to the remote service for analysis;
      
      if the messaging client determines that the received message is potentially malicious, deleting the message from the client computer device after forwarding the message to the remote service; and
      
      if the messaging client determines that the received message is from a trusted sender, causing the client computing device to display a prompt confirming the received message from the trusted sender and releasing the received message from quarantine after the user inputs a response to the prompt.
  - 17. The method of claim 10, further comprising:
    - determining that the user activation action includes a user indication of an element of the received message that the user has flagged as suspicious;
      
      outputting a prompt indicating that the received message is from a trusted sender and feedback explaining why the user indication was incorrect; and
      
      prompting the user to confirm whether to report the received message.

18. An electronic message device, comprising:
- a processor; and
  
  a computer-readable medium storing programming instructions that are configured to cause the processor to;
  
  receive an electronic message via a communications network,receive a user activation action that indicates that a user has reported the received message as a potentially malicious message,upon receiving the user activation action, determine whether to report the received message to a remote service for analysis by determining whether the received message originated from a trusted sender, andupon determining that the received message originated from a trusted sender, enable the user to cause the electronic message device to take action on the received message without further reporting the received message to a cybersecurity analyzer server, otherwise forward the received message to the cybersecurity analyzer server without enabling the user to cause the electronic message device to take other action on the received message.
- View Dependent Claims (19, 20, 21)
- - 19. The electronic message device of claim 18, wherein the instructions to prompt to the user comprise instructions to display a message alerting the user that the received message is from a trusted sender.
  - 20. The electronic message device of claim 18, further comprising additional programming instructions that are configured to cause the processor to:
    - after receiving the user activation action, quarantine the message while the messaging client determines whether to report the message to the remote service for analysis;
      
      if the processor determines that the received message is potentially malicious, delete the message from the client computer device after forwarding the message to the remote service; and
      
      if the processor determines that the received message is from a trusted sender, cause the client computing device to display a prompt confirming the received message from the trusted sender and release the received message from quarantine after the user inputs a response to the prompt.
  - 21. The electronic message device of claim 18, further comprising additional programming instructions that are configured to cause the processor to:
    - determine that the user activation action includes a user indication of an element of the received message that the user has flagged as suspicious;
      
      output a prompt indicating that the received message is from a trusted sender and feedback explaining why the user indication was incorrect; and
      
      prompt the user to confirm whether to report the received message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Wombat Security Technologies, Inc (Proofpoint Incorporated)
Inventors
Himler, Alan, Campbell, John T., Ferrara, Joseph A., Hawthorn, Trevor T., Sadeh-Koniecpol, Norman, Wescoe, Kurt
Primary Examiner(s)
Korsak, Oleg

Application Number

US15/674,875
Time in Patent Office

340 Days
Field of Search
US Class Current
CPC Class Codes

H04L 51/046   Interoperability with other...

H04L 51/212   using filtering or selectiv...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/123   received data contents, e.g...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 69/22   Parsing or analysis of headers

Method and system for reducing reporting of non-malicious electronic messages in a cybersecurity system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for reducing reporting of non-malicious electronic messages in a cybersecurity system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links