Identifying user behavior in a distributed computing system

US 10,104,117 B2
Filed: 02/24/2016
Issued: 10/16/2018
Est. Priority Date: 02/24/2016
Status: Active Grant

First Claim

Patent Images

1. A computing system, comprising:

a processor; and

memory storing instructions executable by the processor, wherein the instructions, when executed, configure the computing system to;

based on electronic mail (e-mail) data, identify a set of forwarding e-mail accounts, that are each configured to forward messages to a particular e-mail account;

compare the number of forwarding e-mail accounts in the identified set to a threshold number;

based on the comparison, identify the particular e-mail account as a dropbox e-mail account that is a destination of forwarded messages from the threshold number of forwarding e-mail accounts;

identify, as malicious collection e-mail accounts, at least a subset of the forwarding e-mail accounts that forward messages to the identified dropbox e-mail account;

generate a malicious collection account identifier that identifies the malicious collection e-mail accounts; and

perform a resolution action to resolve the malicious collection e-mail accounts based on the malicious collection account identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A list of electronic mail (e-mail) accounts is extracted from an electronic mail system. A list of electronic mail accounts, with forwarding enabled, are identified as a set of collection accounts. A dropbox account is identified, from the collection accounts, as a destination e-mail account for the forwarded collection accounts. The collection accounts that forward to the dropbox account that has in excess of a threshold number of collection accounts forwarding to it, are identified as malicious e-mail collection accounts and are forwarded to a resolution system, for resolution.

27 Citations

19 Claims

1. A computing system, comprising:
- a processor; and
  
  memory storing instructions executable by the processor, wherein the instructions, when executed, configure the computing system to;
  
  based on electronic mail (e-mail) data, identify a set of forwarding e-mail accounts, that are each configured to forward messages to a particular e-mail account;
  
  compare the number of forwarding e-mail accounts in the identified set to a threshold number;
  
  based on the comparison, identify the particular e-mail account as a dropbox e-mail account that is a destination of forwarded messages from the threshold number of forwarding e-mail accounts;
  
  identify, as malicious collection e-mail accounts, at least a subset of the forwarding e-mail accounts that forward messages to the identified dropbox e-mail account;
  
  generate a malicious collection account identifier that identifies the malicious collection e-mail accounts; and
  
  perform a resolution action to resolve the malicious collection e-mail accounts based on the malicious collection account identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computing system of claim 1 wherein the instructions configure the computing system to:
    - access the e-mail data in a user account data store; and
      
      identify the set of forwarding e-mail accounts, as a set of collection accounts, based on the accessed data.
  - 3. The computing system of claim 2 wherein the instructions configure the computing system to access forwarding status information associated with e-mail accounts identified in the e-mail data to identify the set of forwarding e-mail accounts.
  - 4. The computing system of claim 2 wherein the instructions configure the computing system to:
    - identify a boundary in the user account data store that stores the e-mail data, the boundary delineating e-mail data in the user account data store that is accessed by the collection account identifying logic in identifying the set of collection accounts.
  - 5. The computing system of claim 3 wherein the instructions configure the computing system to:
    - identify a dropbox forwarding account threshold indicative of the threshold number of forwarding e-mail accounts.
  - 6. The computing system of claim 5 wherein the instructions configure the computing system to:
    - identify the dropbox forwarding account threshold based on a ratio of a number of e-mail accounts in the set of forwarding e-mail accounts to a number of dropbox e-mail accounts identified in the boundary.
  - 7. The computing system of claim 6 wherein the instructions configure the computing system to:
    - identify the dropbox forwarding account threshold based on a ratio of a total number of e-mail accounts in the boundary to a total number of forwarding e-mail accounts in the boundary.
  - 8. The computing system of claim 7 wherein the instructions configure the computing system to:
    - identify the dropbox forwarding account threshold based on a threshold number of unique dropbox e-mail accounts identified in the boundary.
  - 9. The computing system of claim 1 wherein the resolution action comprises:
    - automatically suspending the malicious collection e-mail accounts.
  - 10. The computing system of claim 1 wherein the resolution action comprises automatically re-configuration filtering information corresponding to the malicious collection e-mail accounts to inhibit forwarding of messages from the malicious collection e-mail accounts.
  - 11. The computing system of claim 1 wherein the resolution action comprises automatically removing forwarding status information corresponding to the malicious collection e-mail accounts to inhibit forwarding of messages from the malicious collection e-mail accounts.

12. A computer implemented method, comprising:
- obtaining electronic mail (e-mail) data indicative of a set of forwarding e-mail accounts,that are each configured to forward messages to particular e-mail account;
  
  compare the number of forwarding e-mail accounts in the set to a threshold number;
  
  based on the comparison, identifying the particular e-mail account as a dropbox e-mail account that is a destination of forwarded messages from the threshold number of the-forwarding e-mail accounts;
  
  identifying, as malicious collection e-mail accounts, at least a subset of the forwarding e-mail accounts that forward messages to the identified dropbox e-mail account;
  
  generating a malicious collection account identifier that identifies the malicious collection e-mail accounts; and
  
  performing, by a resolution system device, a resolution action to resolve the malicious collection e-mail accounts based on the malicious collection account identifier.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer implemented method of claim 12 and further comprising:
    - accessing forwarding status information associated with e-mail accounts identified in the e-mail data the e-mail data in a user account data store; and
      
      identifying the set of forwarding e-mail accounts, as a set of collection accounts, based on the accessed data.
  - 14. The computer implemented method of claim 13 and further comprising:
    - identifying a boundary in the user account data store that stores the e-mail data, the boundary delineating e-mail data in the user account data store that is accessed in identifying the set of collection accounts.
  - 15. The computer implemented method of claim 14 and further comprising:
    - identifying a dropbox forwarding account threshold indicative of the threshold number of forwarding e-mail accounts.
  - 16. The computer implemented method of claim 15 wherein identifying the dropbox forwarding account threshold comprises:
    - determining a first ratio of a number of e-mail accounts in the set of forwarding e-mail accounts to a number of dropbox e-mail accounts identified in the boundary, a second ratio of a total number of e-mail accounts in the boundary to a total number of forwarding e-mail accounts in the boundary, and a threshold number of unique dropbox e-mail accounts identified in the boundary; and
      
      identifying the dropbox forwarding account threshold based on the first threshold, the second threshold and the threshold number of unique dropbox e-mail accounts identified in the boundary.
  - 17. The computer implemented method of claim 12 wherein performing a resolution action comprises at least one of:
    - automatically suspending the malicious collection e-mail accounts;
      
      automatically re-configuring filtering information corresponding to the malicious collection e-mail accounts to inhibit forwarding of messages from the malicious collection e-mail accounts;
      
      orautomatically removing forwarding status information corresponding to the malicious collection e-mail accounts to inhibit forwarding of messages from the malicious collection e-mail accounts.

18. A computing system, comprising:
- a processor; and
  
  memory storing instructions executable by the processor, wherein the instructions, when executed, configure the computing system to provide;
  
  a collection account identifying component configured to;
  
  based on electronic mail (e-mail) data in a user account data store, identify, as a set of collection accounts, forwarding e-mail accounts that are each configured to forward messages to a particular e-mail account; and
  
  generate a collection account identifier indicative of the set of collection accounts;
  
  a dropbox account identification component configured to;
  
  obtain the collection account identifier;
  
  compare the number of accounts, in the set of collection accounts, to a threshold number;
  
  based on the comparison, identify the particular e-mail account as a dropbox e-mail account that is a destination of forwarded messages from the threshold number of the forwarding e-mail accounts;
  
  malicious collection account identifying component configured to;
  
  identify, as malicious collection e-mail accounts, at least a subset of the forwarding e-mail accounts that forward messages to the identified dropbox e-mail account, andgenerate a malicious collection account identifier identifying the malicious collection e-mail accounts; and
  
  a resolution system configured to;
  
  based on the malicious collection account identifier, perform a resolution action comprising at least one of;
  
  automatically suspend the malicious collection e-mail accounts;
  
  automatically re-configure filtering information corresponding to the malicious collection e-mail accounts to inhibit forwarding of messages from the malicious collection e-mail accounts;
  
  orautomatically remove forwarding status information corresponding to the malicious collection e-mail accounts to inhibit forwarding of messages from the malicious collection e-mail accounts.
- View Dependent Claims (19)
- - 19. The computing system of claim 18 and further comprising:
    - boundary identifying logic that is configured to identify a boundary in the user account data store that stores the e-mail data, the boundary delineating e-mail data in the user account data store that is accessed by the collection account identifying logic in identifying the set of collection accounts; and
      
      threshold setting logic that is configured to identify a dropbox forwarding account threshold indicative of the threshold number of forwarding e-mail accounts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Moreau-Cook, Aaron J., Trim, Samuel Terrence, Xu, Yuxiang, John, Aby
Primary Examiner(s)
Shaifer Harriman, Dant B

Application Number

US15/052,344
Publication Number

US 20170244747A1
Time in Patent Office

965 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/00   User-to-user messaging in p...

H04L 51/212   using filtering or selectiv...

H04L 63/1441   Countermeasures against mal...

Identifying user behavior in a distributed computing system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying user behavior in a distributed computing system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links