Reputation-based method and system for determining a likelihood that a message is undesired

US 10,193,898 B2
Filed: 08/30/2013
Issued: 01/29/2019
Est. Priority Date: 10/31/2006
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a computing device having a processor and memory, the computing device including a security appliance configured to;

receive, from a reputation engine, a first reputation metric corresponding to a first tuple of a plurality of tuples, the first tuple comprising a user identifier and an Internet Protocol (IP) address for an origin of a message and associated with a first level of granularity for identification of the origin of the message;

receive, from the reputation engine, a second reputation metric corresponding to a second tuple of the plurality of tuples, the second tuple comprising a domain and the IP address for the origin of the message and associated with a second level of granularity for identification of the origin of the message; and

calculate a value indicative of a likelihood that the message is undesired by use of the first reputation metric corresponding to the first tuple associated with the first level of granularity and the second reputation metric corresponding to the second tuple associated with the second level of granularity; and

handling the message in accordance with the value indicative of the likelihood that the message is undesired;

wherein the reputation engine is configured to determine the first reputation metric and the second reputation metric in response to receiving the plurality of tuples associated with the message; and

wherein a reputation metric associated with a tuple assigned a finer granularity contributes to the value more than a reputation metric associated with a tuple assigned a lower granularity.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing a reputation service for use in messaging environments employs a reputation of compiled statistics, representing whether SPAM messages have previously been received from respective a selected set of identifiers for the origin of the message, in a decision making process for newly received messages. In a preferred embodiment, the set of identifiers includes the IP address, a tuple of the domain and IP address and a tuple of the user and IP address and the set of identifiers allows for a relatively fine grained set of reputation metrics to be compiled and used when making a determination of a likelihood as to whether a received message is undesired in accordance with the invention.

77 Citations

View as Search Results

13 Claims

1. A system, comprising:
- a computing device having a processor and memory, the computing device including a security appliance configured to;
  
  receive, from a reputation engine, a first reputation metric corresponding to a first tuple of a plurality of tuples, the first tuple comprising a user identifier and an Internet Protocol (IP) address for an origin of a message and associated with a first level of granularity for identification of the origin of the message;
  
  receive, from the reputation engine, a second reputation metric corresponding to a second tuple of the plurality of tuples, the second tuple comprising a domain and the IP address for the origin of the message and associated with a second level of granularity for identification of the origin of the message; and
  
  calculate a value indicative of a likelihood that the message is undesired by use of the first reputation metric corresponding to the first tuple associated with the first level of granularity and the second reputation metric corresponding to the second tuple associated with the second level of granularity; and
  
  handling the message in accordance with the value indicative of the likelihood that the message is undesired;
  
  wherein the reputation engine is configured to determine the first reputation metric and the second reputation metric in response to receiving the plurality of tuples associated with the message; and
  
  wherein a reputation metric associated with a tuple assigned a finer granularity contributes to the value more than a reputation metric associated with a tuple assigned a lower granularity.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the security appliance is configured to provide a second value indicative of a likelihood that the message is undesired without use of the first reputation metric and the second reputation metric to the reputation engine for use in updating the first reputation metric and the second reputation metric.
  - 3. The system of claim 1, wherein the security appliance is configured to receive a spoof metric corresponding to at least one of the first reputation metric or the second reputation metric, and to calculate the value by use of the received spoof metric.

4. An apparatus, comprising:
- a processor; and
  
  a non-transitory computer-readable medium storing instructions that when executed cause the processor to;
  
  receive, from a reputation engine, a first reputation metric corresponding to a first tuple of a plurality of tuples, the first tuple comprising a user identifier and an Internet Protocol (IP) address for an origin of a message and associated with a first level of granularity for identification of the origin of the message;
  
  receive, from the reputation engine, a second reputation metric corresponding to a second tuple of the plurality of tuples, the second tuple comprising a domain and the IP address for the origin of the message and associated with a second level of granularity for identification of the origin of the message; and
  
  calculate a value indicative of a likelihood that the message is undesired using the first reputation metric corresponding to the first tuple associated with the first level of granularity and the second reputation metric corresponding to the second tuple associated with the second level of granularity;
  
  wherein a reputation metric associated with a tuple assigned a finer granularity contributes to the value more than a reputation metric associated with a tuple assigned a lower granularity.
- View Dependent Claims (5, 6, 7)
- - 5. The apparatus of claim 4, wherein the reputation engine is configured to update the first reputation metric and the second reputation metric by use of another value indicative of a likelihood that the message is undesired calculated independently of the first reputation metric and the second reputation metric.
  - 6. The apparatus of claim 4, wherein the reputation engine is configured to determine a reputation metric of a tuple based on a total of received messages corresponding to the tuple and a total of received messages corresponding to the tuple that have been identified as undesired.
  - 7. The apparatus of claim 4, wherein the reputation engine is configured to determine a spoof metric corresponding to at least one of the first reputation metric and the second reputation metric, and to provide the spoof metric for use in calculating the value.

8. A computer program product comprising a non-transitory computer-readable storage medium storing program code executable to perform operations, comprising:
- determining a first tuple of a plurality of tuples, the first tuple comprising a user identifier and an Internet Protocol (IP) address for a message and associated with a first level of granularity for identification of the message;
  
  determining a second tuple of the plurality of tuples, the second tuple comprising a domain and the IP address for the message and associated with a second level of granularity for identification of the message;
  
  determining a first reputation metric corresponding to the first tuple;
  
  determining a second reputation metric corresponding to the second tuple; and
  
  calculating a value indicative of a likelihood that the message is undesired using the first reputation metric corresponding to the first tuple associated with the first level of granularity and the second reputation metric corresponding to the second tuple associated with the second level of granularity;
  
  wherein a reputation metric associated with a tuple assigned a finer granularity contributes to the value more than a reputation metric associated with a tuple assigned a lower granularity.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer program product of claim 8, wherein the operations further comprise:
    - calculating a second value indicative of a likelihood that the message is undesired without use of the first reputation metric and the second reputation metric; and
      
      providing the second value to a reputation engine for use in updating the first reputation metric and the second reputation metric.
  - 10. The computer program product of claim 8, wherein a reputation metric associated with a tuple assigned a finer granularity contributes to the value more than a reputation metric associated with a tuple assigned a lower granularity.
  - 11. The computer program product of claim 8, the operations further extracting an identifier corresponding to the message, wherein at least one of the tuples comprises the extracted identifier.
  - 12. The computer program product of claim 8, wherein the value indicative of a likelihood that the message is undesired is based on a spoof metric of one of the first reputation metric or the second reputation metric.
  - 13. The computer program product of claim 12, wherein the spoof metric is based on whether received messages have previously been received from the domain name and the Internet Protocol address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Original Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Inventors
Gabe, Christopher John
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Dhruv, Darshan I

Application Number

US14/015,925
Publication Number

US 20130347108A1
Time in Patent Office

1,978 Days
Field of Search
US Class Current
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/1408   by monitoring network traff...

Reputation-based method and system for determining a likelihood that a message is undesired

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Reputation-based method and system for determining a likelihood that a message is undesired

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others