×

Technique for detecting suspicious electronic messages

  • US 10,572,664 B2
  • Filed: 09/18/2017
  • Issued: 02/25/2020
  • Est. Priority Date: 09/19/2016
  • Status: Active Grant
First Claim
Patent Images

1. A method of detecting suspicious electronic messages, wherein the method is performed in a messaging server which is in communication with a plurality of message senders and a plurality of message receivers, wherein the method comprises the steps of:

  • receiving electronic messages sent from the plurality of message senders to at least one message receiver;

    extracting from each received message at least one message sender address feature (AF) and at least one message content feature (CF);

    recording the extracted at least one message sender address features (AF) and at least one message content features (CF) in a database;

    determining, on the basis of the message content features (CFs) recorded in the database, whether a specific content feature that can be associated with a current message has already been recorded in the past;

    if the specific content feature has already been recorded in the past, determining, on the basis of the message sender address features (AFs) recorded in the database, a number (N) of message senders that can be associated with the specific content feature; and

    classifying the current message as suspicious if the determined number (N) of message senders that can be associated with the specific content feature exceeds a predetermined threshold value (N1), wherein the predetermined threshold value (N1) is dynamically adjusted,wherein time-stamped message sender address features (AFs) and message content features (CFs) are recorded in two separate index data structures, wherein a first index data structure (IDX1) comprises a data set (ts, CF) of time-stamped message content features (CFs) and a second index data structure (IDX2) comprises a data set (ts, CF, AF) of time-stamped message content features (CFs) and message sender address features (AFs), andwherein if the current message has been classified as suspicious, the method further comprising at least one of the following steps;

    blocking the current message; and

    subjecting the current message to an anti-virus (AV) analysis.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×