Time zero classification of messages

US 10,084,801 B2
Filed: 12/06/2016
Issued: 09/25/2018
Est. Priority Date: 07/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method for classifying a message, the method comprising:

receiving a message at a computer network interface;

performing a first test on content associated with the received message;

assigning an infectiousness probability to the received message based on the first test;

comparing the assigned infectiousness probability to a plurality of thresholds;

classifying the received message as suspicious based on the assigned infectiousness probability being above a legitimate threshold and below an infectious threshold;

performing a second test on the content associated with the received message;

updating the infectiousness probability of the received message based on the second test;

comparing the updated infectiousness probability to the thresholds;

re-classifying the message as infectious based on the updated infectiousness probability meeting the infectious threshold; and

performing an action based on the reclassification of the message, wherein the action includes preventing the message from being delivered to a recipient of the message when the reclassification indicates infectiousness.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting infectious messages comprises performing an individual characteristic analysis of a message to determine whether the message is suspicious, determining whether a similar message has been noted previously in the event that the message is determined to be suspicious, classifying the message according to its individual characteristics and its similarity to the noted message in the event that a similar message has been noted previously.

138 Citations

17 Claims

1. A method for classifying a message, the method comprising:
- receiving a message at a computer network interface;
  
  performing a first test on content associated with the received message;
  
  assigning an infectiousness probability to the received message based on the first test;
  
  comparing the assigned infectiousness probability to a plurality of thresholds;
  
  classifying the received message as suspicious based on the assigned infectiousness probability being above a legitimate threshold and below an infectious threshold;
  
  performing a second test on the content associated with the received message;
  
  updating the infectiousness probability of the received message based on the second test;
  
  comparing the updated infectiousness probability to the thresholds;
  
  re-classifying the message as infectious based on the updated infectiousness probability meeting the infectious threshold; and
  
  performing an action based on the reclassification of the message, wherein the action includes preventing the message from being delivered to a recipient of the message when the reclassification indicates infectiousness.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the second test performed on the content associated with the received message includes at least one of a signature matching test, a file mane test a character test, a bit pattern test, an N-gram test, and a probabilistic finite stat automata test.
  - 3. The method of claim 1, wherein updating the infectiousness probability comprises assigning a value of one when the second test identifies that at least a portion of the content associated with the received message exactly matches a signature associated with a known virus.
  - 4. The method of claim 1, wherein updating the infectiousness probability comprises assigning a value that corresponds to a degree of similarity in accordance with a statistical model that includes one or more characteristics that are associated with a virus.
  - 5. The method of claim 4, wherein the one or more characteristics include one or more of a signature, a receipt time, the identity of a recipient, a number of recipients, a sender, an attachment size, a number of attachments, a number of executable attachments, a file name, a file type, and conflicting information in an attachment name.
  - 6. The method of claim 4, further comprising:
    - receiving a plurality of additional messages that include at least one of the characteristics;
      
      increasing a count for each of the additional messages that include the at least one characteristic;
      
      identifying that the count has crossed a virus count threshold; and
      
      preventing at least one of the additional messages from being delivered to a recipient based on the identification that the count has crossed the virus count threshold.

7. A non-transitory computer readable storage medium having embodied thereon a program executable by a processor to perform a method for classifying a message, the method comprising:
- receiving a message over a computer network interface;
  
  performing a first test on content associated with the received message;
  
  assigning an infectiousness probability to the received message based on the first test;
  
  comparing the assigned infectiousness probability to a plurality of thresholds;
  
  classifying the received message as suspicious based on the assigned infectiousness probability being above a legitimate threshold and below an infectious threshold;
  
  performing a second test on the content associated with the received message;
  
  updating the infectiousness probability of the received message based on the second test;
  
  comparing the updated infectiousness probability to the thresholds;
  
  re-classifying the message as infectious based on the updated infectiousness probability meeting the infectious threshold; and
  
  performing an action based on the reclassification of the message, wherein the action includes preventing the message from being delivered to a recipient of the message when the reclassification indicates infectiousness.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer readable storage medium of claim 7, wherein the second test performed on the content associated with the received message includes at least one of a signature matching test, a file mane test a character test, a bit pattern test, an N-gram test, and a probabilistic finite stat automata test.
  - 9. The non-transitory computer readable storage medium of claim 7, wherein updating the infectiousness probability comprises assigning a value of one when the second test identifies that at least a portion of the content associated with the received message exactly matches a signature associated with a known virus.
  - 10. The non-transitory computer readable storage medium of claim 7, wherein updating the infectiousness probability comprises assigning a value that corresponds to a degree of similarity in accordance with a statistical model that includes one or more characteristics that are associated with a virus.
  - 11. The non-transitory computer readable storage medium of claim 10, wherein the one or more characteristics include one or more of a signature, a receipt time, the identity of a recipient, a number of recipients, a sender, an attachment size, a number of attachments, a number of executable attachments, a file name, a file type, and conflicting information in an attachment name.
  - 12. The non-transitory computer readable storage medium of claim 10, wherein the program further comprises instructions executable to:
    - receive a plurality of additional messages that include at least one of the characteristics;
      
      increase a count for each of the additional messages that include the at least one characteristic;
      
      identify that the count has crossed a virus count threshold; and
      
      prevent at least one of the additional messages from being delivered to a recipient based on the identification that the count has crossed the virus count threshold.

13. An apparatus for classifying a message, the apparatus comprising:
- a network interface that receives a message over a computer network interface; and
  
  a processor that executes instructions out of memory to;
  
  perform a first test on content associated with the received message;
  
  assign an infectiousness probability to the received message based on the first test,compare the assigned infectiousness probability to a plurality of thresholds,classify the received message based on the assigned infectiousness probability being above a legitimate threshold and below an infectious threshold,perform a second test on the content associated with the received message,update the infectiousness probability of the received message based on the second test,compare the updated infectiousness probability to the thresholds,re-classify the message as infectious based on the updated infectiousness probability meeting the infectious threshold, andperform an action based on the reclassification of the message, wherein the action includes preventing the message from being delivered to a recipient of the message when the reclassification indicates infectiousness.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The apparatus of claim 13, wherein the second test performed on the content associated with the received message includes at least one of a signature matching test, a file mane test a character test, a bit pattern test, an N-gram test, and a probabilistic finite stat automata test.
  - 15. The apparatus of claim 13, wherein the processor updates the infectiousness probability by assigning a value of one when the second test identifies that at least a portion of the content associated with the received message exactly matches a signature associated with a known virus.
  - 16. The apparatus of claim 13, wherein the processor updates the infectiousness probability by assigning a value that corresponds to a degree of similarity in accordance with a statistical model that includes one or more characteristics that are associated with a virus.
  - 17. The apparatus of claim 13, wherein the processor executes further instructions to:
    - receive a plurality of additional messages that include at least one of the characteristics;
      
      increase a count for each of the additional messages that include the at least one characteristic;
      
      identify that the count has crossed a virus count threshold; and
      
      prevent at least one of the additional messages from being delivered to a recipient based on the identification that the count has crossed the virus count threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SonicWALL US Holdings, Inc. (SonicWall Holdings Ltd.)
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Rihn, Jennifer, Oliver, Jonathan J.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US15/370,873
Publication Number

US 20170155670A1
Time in Patent Office

658 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06N 7/01   Probabilistic graphical mod...

H04L 63/0245   Filtering by information in...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Time zero classification of messages

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

138 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Time zero classification of messages

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others