Detecting computer security risk based on previously observed communications

US 10,715,543 B2
Filed: 11/27/2017
Issued: 07/14/2020
Est. Priority Date: 11/30/2016
Status: Active Grant

First Claim

Patent Images

1. A method of detecting security risk, comprising:

receiving information about an electronic message that is from a sender for an intended recipient;

determining whether the sender of the electronic message has an established relationship with the intended recipient, wherein the established relationship is based at least in part on previous email messages between the sender and the intended recipient;

in response to the determination that the sender of the electronic message has the established relationship with the intended recipient, using a processor to analyze the electronic message based at least in part on previously observed communications between the sender and the intended recipient to determine a security risk of the electronic message for the intended recipient using a statistically analyzed result identifying a likelihood of existence of a cluster of two or more email header items by tracking and matching combinations of corresponding email header items from email headers of previous email messages sent from the sender, wherein the cluster of the combination of two or more of the email header items include a mail user agent (MUA) metadata item, a time zone, an IP address, X-header metadata information, or an identification of a supported character set; and

based on the determined security risk of the electronic message, performing a security action, if applicable.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Information about an electronic message that is from a sender for an intended recipient is received. It is determined whether an electronic message account of the sender of the electronic message is likely an independently controlled account. In response to the determination that the electronic message account of the sender of the electronic message is likely an independently controlled account, the electronic message is analyzed to determine whether the message is an automatically generated message. In response to the determination that the message is an automatically generated message, a security action is performed.

Citations

20 Claims

1. A method of detecting security risk, comprising:
- receiving information about an electronic message that is from a sender for an intended recipient;
  
  determining whether the sender of the electronic message has an established relationship with the intended recipient, wherein the established relationship is based at least in part on previous email messages between the sender and the intended recipient;
  
  in response to the determination that the sender of the electronic message has the established relationship with the intended recipient, using a processor to analyze the electronic message based at least in part on previously observed communications between the sender and the intended recipient to determine a security risk of the electronic message for the intended recipient using a statistically analyzed result identifying a likelihood of existence of a cluster of two or more email header items by tracking and matching combinations of corresponding email header items from email headers of previous email messages sent from the sender, wherein the cluster of the combination of two or more of the email header items include a mail user agent (MUA) metadata item, a time zone, an IP address, X-header metadata information, or an identification of a supported character set; and
  
  based on the determined security risk of the electronic message, performing a security action, if applicable.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein determining whether the sender of the electronic message has the established relationship with the intended recipient includes determining whether the sender has previously sent the intended recipient a threshold number of messages.
  - 3. The method of claim 1, wherein determining whether the sender of the electronic message has the established relationship with the intended recipient includes determining whether the sender had been in communication with the intended recipient for at least a threshold amount of time.
  - 4. The method of claim 1, wherein determining whether the sender of the electronic message has the established relationship with the intended recipient includes obtaining information about the sender or user relationships of the intended recipient from a service that tracks social network relationship data.
  - 5. The method of claim 1, wherein determining whether the sender of the electronic message has the established relationship with the intended recipient includes determining a trust score associated with the sender with respect to the intended recipient of the message.
  - 6. The method of claim 1, wherein analyzing the electronic message based at least in part on the previously observed communications between the sender and the intended recipient to determine the security risk of the electronic message for the intended recipient includes using profiles of body content included in previous messages received from the sender.
  - 7. The method of claim 1, wherein analyzing the electronic message based at least in part on the previously observed communications between the sender and the intended recipient to determine the security risk of the electronic message for the intended recipient includes using profiles of header content included in the previous messages received from the sender.
  - 8. The method of claim 1, wherein analyzing the electronic message based at least in part on the previously observed communications between the sender and the intended recipient to determine the security risk of the electronic message for the intended recipient includes determining a plurality of risk component scores and combining the plurality of risk component scores to determine an overall risk score of the security risk of the electronic message for the intended recipient.
  - 9. The method of claim 1, wherein analyzing the electronic message based at least in part on the previously observed communications between the sender and the intended recipient to determine the security risk of the electronic message for the intended recipient includes determining a risk component score based on whether the message includes a keyword and whether the keyword or a related keyword was included in a previous message from the sender.
  - 10. The method of claim 1, wherein determining the security risk of the electronic message for the intended recipient includes computing a Bayesian probability score of a particular feature of message being consistent with past observations of previous messages from the sender.
  - 11. The method of claim 1, wherein analyzing the electronic message based at least in part on the previously observed communications between the sender and the intended recipient to determine the security risk of the electronic message for the intended recipient includes determining a probability a plurality of aspects of the electronic message have been exhibited together in previous messages from the sender for the intended recipient.
  - 12. The method of claim 1, wherein performing the security action includes selecting based on the determined security risk of the electronic message, which security action option to perform among a plurality of security action options.
  - 13. The method of claim 1, wherein performing the security action includes determining that a risk score associated with the security risk of the electronic message is below a threshold value and allowing the intended recipient to fully access the electronic message by delivering the electronic message to the intended recipient.
  - 14. The method of claim 1, wherein performing the security action includes determining that a risk score associated with the security risk of the electronic message is above a threshold value and modifying the electronic message prior to allowing the intended recipient to access a modified version of the electronic message.
  - 15. The method of claim 1, wherein performing the security action includes performing one or more of the following:
    - sending a verification challenge to an alternative contact of the sender;
      
      performing additional analysis of the electronic message;
      
      quarantining the electronic message;
      
      blocking the electronic message;
      
      executing an executable included in the electronic message in a sandbox or a virtual machine;
      
      adding a warning to the electronic message; and
      
      moving the electronic message to a different folder.

16. A system of detecting security risk, comprising:
- a hardware processor configured to;
  
  receive information about an electronic message that is from a sender for an intended recipient;
  
  determine whether the sender of the electronic message has an established relationship with the intended recipient, wherein the established relationship is based at least in part on previous email messages between the sender and the intended recipient;
  
  in response to the determination that the sender of the electronic message has the established relationship with the intended recipient, analyze the electronic message based at least in part on previously observed communications between the sender and the intended recipient to determine a security risk of the electronic message for the intended recipient using a statistically analyzed result identifying a likelihood of existence of a cluster of two or more email header items by tracking and matching combinations of corresponding email header items from email headers of previous email messages sent from the sender, wherein the cluster of the combination of two or more of the email header items include a mail user agent (MUA) metadata item, a time zone, an IP address, X-header metadata information, or an identification of a supported character set; and
  
  based on the determined security risk of the electronic message, perform a security action, if applicable; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein analyzing the electronic message based at least in part on the previously observed communications between the sender and the intended recipient to determine the security risk of the electronic message for the intended recipient includes using profiles of body content included in previous messages received from the sender.
  - 18. The system of claim 16, wherein analyzing the electronic message based at least in part on the previously observed communications between the sender and the intended recipient to determine the security risk of the electronic message for the intended recipient includes using profiles of header content included in the previous messages received from the sender.
  - 19. The system of claim 16, wherein analyzing the electronic message based at least in part on the previously observed communications between the sender and the intended recipient to determine the security risk of the electronic message for the intended recipient includes determining a plurality of risk component scores and combining the plurality of risk component scores to determine an overall risk score of the security risk of the electronic message for the intended recipient.

20. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions executable by a hardware processor for detecting security risk based on by performing:
- receiving information about an electronic message that is from a sender for an intended recipient;
  
  determining whether the sender of the electronic message has an established relationship with the intended recipient, wherein the established relationship is based at least in part on previous email messages between the sender and the intended recipient;
  
  in response to the determination that the sender of the electronic message has the established relationship with the intended recipient, using a processor to analyze the electronic message based at least in part on previously observed communications between the sender and the intended recipient to determine a security risk of the electronic message for the intended recipient using a statically analyzed result identifying a likelihood of existence of a cluster of two or more email header items by tracking and matching combinations of corresponding email header items from email headers of previous email messages sent from the sender, wherein the cluster of the combination of two or more of the email header items include a mail user agent (MUA) metadata item, a time zone, an IP address, X-header metadata information, or an identification of a supported character set; and
  
  based on the determined security risk of the electronic message, performing a security action, if applicable.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Agari Data, Inc.
Original Assignee
Agari Data, Inc.
Inventors
Jakobsson, Bjorn Markus
Primary Examiner(s)
Chai, Longbit

Application Number

US15/823,196
Publication Number

US 20180152471A1
Time in Patent Office

960 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06N 7/01   Probabilistic graphical mod...

G06Q 50/01   Social networking

H04L 63/0428   wherein the data content is...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Detecting computer security risk based on previously observed communications

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting computer security risk based on previously observed communications

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links