Advanced processing of electronic messages with attachments in a cybersecurity system

US 10,063,584 B1
Filed: 01/24/2018
Issued: 08/28/2018
Est. Priority Date: 08/17/2016
Status: Active Grant

First Claim

Patent Images

1. A system for managing computer security risks associated with message file attachments in a cybersecurity network, the system comprising:

a client computing device comprising;

a processing device,a messaging client, anda computer-readable medium portion storing programming instructions that are configured to cause the client computing device to;

receive an electronic message that includes an attachment; and

prevent the attachment from actuating on the client computing device until the system determines whether the received message is a legitimate message or a potentially malicious message; and

a computer-readable medium portion storing programming instructions that are configured to cause the client computing device or a remote computing device to;

determine whether the received message is a legitimate message or a potentially malicious message without analyzing the attachment,if the determining determines that the received message is a legitimate message, permit the attachment to actuate on the client computing device, andif the determining determines that the received message is not or may not be a legitimate message, continue preventing the attachment from actuating on the client computing device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system manages computer security risks associated with message file attachments. When a user of an electronic device with a messaging client attempts to open an attachment to a message that is in the client'"'"'s inbox, the system will analyze the message to determine whether the message is a legitimate message or a potentially malicious message without the need to actually process or analyze the attachment itself. If the system determines that the received message is a legitimate message, the system will permit the attachment to actuate on the client computing device. If the system determines that the received message is not or may not be a legitimate message, the system will continue preventing the attachment from actuating on the client computing device.

79 Citations

View as Search Results

22 Claims

1. A system for managing computer security risks associated with message file attachments in a cybersecurity network, the system comprising:
- a client computing device comprising;
  
  a processing device,a messaging client, anda computer-readable medium portion storing programming instructions that are configured to cause the client computing device to;
  
  receive an electronic message that includes an attachment; and
  
  prevent the attachment from actuating on the client computing device until the system determines whether the received message is a legitimate message or a potentially malicious message; and
  
  a computer-readable medium portion storing programming instructions that are configured to cause the client computing device or a remote computing device to;
  
  determine whether the received message is a legitimate message or a potentially malicious message without analyzing the attachment,if the determining determines that the received message is a legitimate message, permit the attachment to actuate on the client computing device, andif the determining determines that the received message is not or may not be a legitimate message, continue preventing the attachment from actuating on the client computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, further comprising:
    - a message origination server configured to generate and transmit mock malicious messages with mock malicious attachments; and
      
      additional programming instructions that are configured to cause the client computing device to, for any message that the system determines is a legitimate message and that is one of the mock malicious messages and for which the system receives an indication that a user of the client computing device attempted to open the attachment;
      
      analyze a header section of that message to detect an identifier that can be used to identify a user or device to which that message was directed, wherein the identifier comprises a value of a “
      
      TO”
      
      field in the header section, a device code, or a user identifier, andsend the detected identifier and related event information to a cybersecurity analyzer server for recording in a data store information indicating that the user attempted to open an attachment to a mock malicious message.
  - 3. The system of claim 1, further comprising additional programming instructions that are configured to cause the client computing device or remote computing device to:
    - cause the client computing device to output a prompt to the user, wherein the prompt includes a result of the determination of whether the received message is a legitimate message or a potentially malicious message;
      
      further analyze the received message to assign a class to the received message; and
      
      include information corresponding to the assigned class in the prompt.
  - 4. The system of claim 1, wherein:
    - the programming instructions for determining whether the received message is a legitimate message or a malicious message comprise instructions to;
      
      select a structural element of the received message,obtain information corresponding to the structural element, anduse the obtained information to assign a trust value to the structural element; and
      
      the system comprises additional programming instructions that are configured to cause the client computing device to output a prompt that presents a user with the structural element, and descriptive material corresponding to the obtained information, to train the user about how the structural element can help identify why the received message is a legitimate message.
  - 5. The system of claim 4, wherein the programming instructions for obtaining information corresponding to the structural element comprise instructions to, if the structural element comprises a hyperlink, access a domain name registrar to retrieve information that indicates an age of a domain associated with the hyperlink.
  - 6. The system of claim 4, wherein the programming instructions for obtaining information corresponding to the structural element comprise instructions to, if the structural element comprises a hyperlink, obtain the information corresponding to the structural element by:
    - identifying a domain name registrar for a domain associated with the hyperlink, andaccessing a data set of known domain name registrars to identify whether the registrar is known to register malicious websites.
  - 7. The system of claim 4, wherein the programming instructions for obtaining information corresponding to the structural element comprise instructions to, if the structural element comprises a plurality of hyperlinks, determine a number of redirects associated with the plurality of hyperlinks.
  - 8. The system of claim 3, further comprising:
    - a message origination server configured to generate and transmit mock malicious messages with mock malicious attachments; and
      
      wherein the instructions for assigning a class to the received message comprise instructions to, if the received message is one of the mock malicious messages generated by the message origination server, assign a mock malicious message class to the received message.
  - 9. The system of claim 8, wherein the instructions for assigning a class to the received message comprise instructions to determine that received message is one of the mock malicious messages if:
    - a header field of a header section of the received message starts with a predetermined key; and
      
      for any header field that starts with the predetermined key, that header field also includes a value that satisfies a first trusted sender rule.
  - 10. The system of claim 9, wherein the instructions to determine that a received message is one of the mock malicious messages also require that an additional element of the received message satisfies a second trusted sender rule as a condition of determining that a received message is one of the mock malicious messages, wherein the second trusted sender rule comprises:
    - a requirement that any header field having a FROM fieldname include a value that is associated with a known sender;
      
      a requirement that any header field that includes a domain have a value that is associated with a known domain;
      
      ora requirement that any header field having a FROM fieldname include a value that is associated with a known sender, and a requirement that any header field that includes a domain include a value that is associated with a known domain.
  - 11. The system of claim 1, wherein the programming instructions that cause the client computing device to prevent the attachment from actuating on the client computing device until the system determines whether the received message is a legitimate message or a potentially malicious message comprise instructions to:
    - quarantine the received message; and
      
      release the received message from quarantine only if and after determining that the received message is a legitimate message.

12. A method of managing computer security risks associated with message file attachments in a cybersecurity network, the method comprising:
- by a client computing device comprising a processing device, executing programming instructions configured to cause the client computing device to;
  
  receive, by a messaging client application of the client computing device, an electronic message that includes an attachment,prevent the attachment from actuating until the client computing device determines whether the received message is a legitimate message or a potentially malicious message,without analyzing the attachment, determine whether the received message is a legitimate message or a potentially malicious message,if the determining determines that the received message is a legitimate message, permit the attachment to actuate on the client computing device, andif the determining determines that the received message is not or may not be a legitimate message, continue to prevent the attachment from actuating on the client computing device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, further comprising:
    - by a message origination server, generating and transmitting mock malicious messages with mock malicious attachments; and
      
      by the client computing device, for any message that the client computing device determines is a legitimate message and that is one of the mock malicious messages and for which the system receives an indication that a user of the client computing device attempted to open the attachment;
      
      analyzing a header section of that message to detect an identifier that can be used to identify a user or device to which that message was directed, wherein the identifier comprises a value of a “
      
      TO”
      
      field in the header section, a device code, or a user identifier, andsending the detected identifier and related event information to a cybersecurity analyzer server for recording in a data store information indicating that the user attempted to open an attachment to a mock malicious message.
  - 14. The method of claim 12, further comprising by the client computing device:
    - outputting a prompt to the user, wherein the prompt includes a result of the determination of whether the received message is a legitimate message or a potentially malicious message;
      
      further analyzing the received message to assign a class to the received message; and
      
      including information corresponding to the assigned class in the prompt.
  - 15. The method of claim 12, wherein:
    - determining whether the received message is a legitimate message or a malicious message comprises;
      
      selecting a structural element of the received message;
      
      obtaining information corresponding to the structural element, andusing the obtained information to assign a trust value to the structural element; and
      
      the method also comprises outputting a prompt that presents the user with the structural element, and descriptive material corresponding to the obtained information, to train the user about how the structural element can help indicate why the received message is a legitimate message.
  - 16. The method of claim 15, wherein obtaining the information corresponding to the structural element comprises, if the structural element comprises a hyperlink, accessing a domain name registrar to retrieve information that indicates an age of a domain associated with the hyperlink.
  - 17. The method of claim 15, wherein obtaining the information corresponding to the structural element comprises, if the structural element comprises a hyperlink, obtaining the information corresponding to the structural element by:
    - identifying a domain name registrar for a domain associated with the hyperlink; and
      
      accessing a data set of known domain name registrars to identify whether the registrar is known to register malicious websites.
  - 18. The method of claim 15, wherein obtaining the information corresponding to the structural element comprises, if the structural element comprises a plurality of hyperlinks, determining a number of redirects associated with the plurality of hyperlinks.
  - 19. The method of claim 14, further comprising:
    - by a message origination server, generating and transmitting mock malicious messages with mock malicious attachments; and
      
      when assigning a class to the received message, if the received message is one of the mock malicious messages generated by the message origination server, assigning a mock malicious message class to the received message.
  - 20. The method of claim 19, further comprising determining that the received message is one of the mock malicious messages if:
    - a header field of a header section of the received message starts with a predetermined key; and
      
      for any header field that starts with the predetermined key, that header field also includes a value that satisfies a first trusted sender rule.
  - 21. The method of claim 20, further comprising requiring, as a condition of determining that a received message is one of the mock malicious messages, that an additional element of the received message satisfies a second trusted sender rule, wherein the second trusted sender rule comprises:
    - a requirement that any header field having a FROM fieldname include a value that is associated with a known sender;
      
      a requirement that any header field that includes a domain have a value that is associated with a known domain;
      
      ora requirement that any header field having a FROM fieldname include a value that is associated with a known sender, and a requirement that any header field that includes a domain have include a value that is associated with a known domain.
  - 22. The method of claim 12, wherein preventing the attachment from actuating until the client computing device determines whether the received message is a legitimate message or a potentially malicious message comprises:
    - quarantining the received message; and
      
      releasing the received message from quarantine only if and after the client computing device determines that the received message is a legitimate message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Wombat Security Technologies, Inc (Proofpoint Incorporated)
Inventors
Wescoe, Kurt, Campbell, John T., Ferrara, Joseph A., Hawthorn, Trevor T., Himler, Alan, Sadeh-Koniecpol, Norman
Primary Examiner(s)
Tran, Tri

Application Number

US15/878,797
Time in Patent Office

216 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562   Static detection

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

H04L 67/01   Protocols

H04L 69/22   Parsing or analysis of headers

Advanced processing of electronic messages with attachments in a cybersecurity system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Advanced processing of electronic messages with attachments in a cybersecurity system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links