Detecting computer security risk based on previously observed communications
First Claim
Patent Images
1. A method of detecting security risk, comprising:
- receiving information about an electronic message that is from a sender for an intended recipient;
determining whether the sender of the electronic message has an established relationship with the intended recipient, wherein the established relationship is based at least in part on previous email messages between the sender and the intended recipient;
in response to the determination that the sender of the electronic message has the established relationship with the intended recipient, using a processor to analyze the electronic message based at least in part on previously observed communications between the sender and the intended recipient to determine a security risk of the electronic message for the intended recipient using a statistically analyzed result identifying a likelihood of existence of a cluster of two or more email header items by tracking and matching combinations of corresponding email header items from email headers of previous email messages sent from the sender, wherein the cluster of the combination of two or more of the email header items include a mail user agent (MUA) metadata item, a time zone, an IP address, X-header metadata information, or an identification of a supported character set; and
based on the determined security risk of the electronic message, performing a security action, if applicable.
3 Assignments
0 Petitions
Accused Products
Abstract
Information about an electronic message that is from a sender for an intended recipient is received. It is determined whether an electronic message account of the sender of the electronic message is likely an independently controlled account. In response to the determination that the electronic message account of the sender of the electronic message is likely an independently controlled account, the electronic message is analyzed to determine whether the message is an automatically generated message. In response to the determination that the message is an automatically generated message, a security action is performed.
-
Citations
20 Claims
-
1. A method of detecting security risk, comprising:
-
receiving information about an electronic message that is from a sender for an intended recipient; determining whether the sender of the electronic message has an established relationship with the intended recipient, wherein the established relationship is based at least in part on previous email messages between the sender and the intended recipient; in response to the determination that the sender of the electronic message has the established relationship with the intended recipient, using a processor to analyze the electronic message based at least in part on previously observed communications between the sender and the intended recipient to determine a security risk of the electronic message for the intended recipient using a statistically analyzed result identifying a likelihood of existence of a cluster of two or more email header items by tracking and matching combinations of corresponding email header items from email headers of previous email messages sent from the sender, wherein the cluster of the combination of two or more of the email header items include a mail user agent (MUA) metadata item, a time zone, an IP address, X-header metadata information, or an identification of a supported character set; and based on the determined security risk of the electronic message, performing a security action, if applicable. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system of detecting security risk, comprising:
-
a hardware processor configured to; receive information about an electronic message that is from a sender for an intended recipient; determine whether the sender of the electronic message has an established relationship with the intended recipient, wherein the established relationship is based at least in part on previous email messages between the sender and the intended recipient; in response to the determination that the sender of the electronic message has the established relationship with the intended recipient, analyze the electronic message based at least in part on previously observed communications between the sender and the intended recipient to determine a security risk of the electronic message for the intended recipient using a statistically analyzed result identifying a likelihood of existence of a cluster of two or more email header items by tracking and matching combinations of corresponding email header items from email headers of previous email messages sent from the sender, wherein the cluster of the combination of two or more of the email header items include a mail user agent (MUA) metadata item, a time zone, an IP address, X-header metadata information, or an identification of a supported character set; and based on the determined security risk of the electronic message, perform a security action, if applicable; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (17, 18, 19)
-
-
20. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions executable by a hardware processor for detecting security risk based on by performing:
-
receiving information about an electronic message that is from a sender for an intended recipient; determining whether the sender of the electronic message has an established relationship with the intended recipient, wherein the established relationship is based at least in part on previous email messages between the sender and the intended recipient; in response to the determination that the sender of the electronic message has the established relationship with the intended recipient, using a processor to analyze the electronic message based at least in part on previously observed communications between the sender and the intended recipient to determine a security risk of the electronic message for the intended recipient using a statically analyzed result identifying a likelihood of existence of a cluster of two or more email header items by tracking and matching combinations of corresponding email header items from email headers of previous email messages sent from the sender, wherein the cluster of the combination of two or more of the email header items include a mail user agent (MUA) metadata item, a time zone, an IP address, X-header metadata information, or an identification of a supported character set; and based on the determined security risk of the electronic message, performing a security action, if applicable.
-
Specification