Proactive protection against e-mail worms and spam
First Claim
1. A method for detecting the presence of malicious computer code in a plurality of e-mails, said method comprising, for each e-mail, the steps of:
- calculating a feature vector, said feature vector being representative of a presence of at least one preselected feature in the e-mail;
calculating at least one score based upon said feature vector, each said score being representative of a frequency of occurrence of an instance of a feature;
determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and
when a score exceeds a preselected malicious threshold, blocking said e-mail.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparati, and computer-readable media for detecting the presence of malicious computer code in a plurality of e-mails. In a method embodiment of the present invention, the following steps are performed for each e-mail: calculating a feature vector (80), said feature vector (80) being representative of a presence of at least one preselected feature in the e-mail; calculating at least one score (S) based upon said feature vector (80), each said score (S) being representative of a frequency of occurrence of an instance of a feature; determining whether any score (S) exceeds a preselected malicious threshold representative of malicious computer code; and when a score (S) exceeds a preselected malicious threshold, blocking said e-mail.
180 Citations
24 Claims
-
1. A method for detecting the presence of malicious computer code in a plurality of e-mails, said method comprising, for each e-mail, the steps of:
-
calculating a feature vector, said feature vector being representative of a presence of at least one preselected feature in the e-mail;
calculating at least one score based upon said feature vector, each said score being representative of a frequency of occurrence of an instance of a feature;
determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and
when a score exceeds a preselected malicious threshold, blocking said e-mail. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer-readable medium containing computer program instructions for detecting the presence of malicious computer code in a plurality of e-mails, said computer program instructions performing, for each e-mail, the steps of:
-
calculating a feature vector, said feature vector being representative of a presence of at least one preselected feature in the e-mail;
calculating at least one score based upon said feature vector, each said score being representative of a frequency of occurrence of an instance of a feature;
determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and
when a score exceeds a preselected malicious threshold, blocking said e-mail.
-
-
24. Apparatus for detecting the presence of malicious computer code in a plurality of e-mails, said apparatus comprising:
-
first calculating means for calculating a feature vector for each e-mail, said feature vector being representative of a presence of at least one preselected feature in the e-mail;
second calculating means for calculating for each e-mail at least one score based upon said feature vector, each said score being representative of a frequency of occurrence of an instance of a feature;
coupled to the second calculating means, means for determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and
coupled to the determining means, means for blocking said e-mail when a score exceeds a preselected malicious threshold.
-
Specification