System and methods for detecting malicious email transmission
First Claim
1. A method for detecting an occurrence of a violation of an email security policy of a computer system by transmission of selected email through said computer system, said computer system comprising a server and one or more clients having an email account, the method comprising:
- (a) defining a model relating to prior transmission of email through said computer system derived from statistics relating to prior emails transmitted through said computer system;
(b) gathering statistics relating to said transmission of selected email through said computer system; and
(c) classifying said selected email as being a member of a classification by applying said model to said statistics relating to said transmission of selected email through said computer system.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.
361 Citations
53 Claims
-
1. A method for detecting an occurrence of a violation of an email security policy of a computer system by transmission of selected email through said computer system, said computer system comprising a server and one or more clients having an email account, the method comprising:
-
(a) defining a model relating to prior transmission of email through said computer system derived from statistics relating to prior emails transmitted through said computer system;
(b) gathering statistics relating to said transmission of selected email through said computer system; and
(c) classifying said selected email as being a member of a classification by applying said model to said statistics relating to said transmission of selected email through said computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A method for detecting an occurrence of a violation of an email security policy of a computer system by transmission of selected email through said computer system, said computer system comprising a server and one more clients having an email account, the method comprising:
-
(a) defining a model relating to prior email transmitted by said email account derived from statistics relating to prior emails transmitted by said email account;
(b) gathering statistics relating to said selected emails transmitted by said email account;
(c) defining a model of said new email transmission derived from said statistics; and
(d) comparing said model of said new email transmission and said model relating to prior email transmitted by said email account. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46)
-
-
47. A system for detecting an occurrence of a violation of an email security policy of a computer system by transmission of selected email through said computer system comprising:
-
(a) a client comprising;
(i) an email server configured to receive and transmit said selected email for one or more email accounts;
(ii) a client database configured to store information relating to said selected email and a model derived from statistics relating to prior emails transmitted through said computer system; and
(iii) an analysis component configured to define a model for said selected email based on statistics relating to said selected email and compare said selected email model and said model derived from statistics relating to said prior emails;
(iv) a communications component configured to transmit statistics relating to the selected email to a server; and
(b) a server comprising a server database configured to store statistics relating to said emails, and to transmit said statistics to said client. - View Dependent Claims (48, 49, 50, 51)
-
-
52. The system as recited in claim 52, wherein the client database is configured to store statistics relating to prior email transmitted by said one or more email accounts in a histogram.
-
53. The system as recited in claim 53, wherein the analysis component is configured to compare a histogram relating to said selected email to said histogram relating to said prior email.
Specification