Proactive protection against e-mail worms and spam

US 20040117648A1
Filed: 12/16/2002
Published: 06/17/2004
Est. Priority Date: 12/16/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting the presence of malicious computer code in a plurality of e-mails, said method comprising, for each e-mail, the steps of:

calculating a feature vector, said feature vector being representative of a presence of at least one preselected feature in the e-mail;

calculating at least one score based upon said feature vector, each said score being representative of a frequency of occurrence of an instance of a feature;

determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and

when a score exceeds a preselected malicious threshold, blocking said e-mail.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparati, and computer-readable media for detecting the presence of malicious computer code in a plurality of e-mails. In a method embodiment of the present invention, the following steps are performed for each e-mail: calculating a feature vector (80), said feature vector (80) being representative of a presence of at least one preselected feature in the e-mail; calculating at least one score (S) based upon said feature vector (80), each said score (S) being representative of a frequency of occurrence of an instance of a feature; determining whether any score (S) exceeds a preselected malicious threshold representative of malicious computer code; and when a score (S) exceeds a preselected malicious threshold, blocking said e-mail.

180 Citations

24 Claims

1. A method for detecting the presence of malicious computer code in a plurality of e-mails, said method comprising, for each e-mail, the steps of:
- calculating a feature vector, said feature vector being representative of a presence of at least one preselected feature in the e-mail;
  
  calculating at least one score based upon said feature vector, each said score being representative of a frequency of occurrence of an instance of a feature;
  
  determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and
  
  when a score exceeds a preselected malicious threshold, blocking said e-mail.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1 wherein a feature vector is not calculated when the e-mail is deemed to be harmless according to preselected criteria.
  - 3. The method of claim 2 wherein said preselected criteria include criteria from the group comprising:
    - the e-mail has no attachments; and
      
      the e-mail contains no script.
  - 4. The method of claim 1 further comprising, prior to executing the first calculating step, the step of placing the e-mail into a delay queue for a preselected time X while the method steps of claim 1 are performed.
  - 5. The method of claim 4 further comprising the steps of:
    - determining whether a score S crosses a preselected suspicion threshold; and
      
      when S crosses the preselected suspicion threshold, adjusting X.
  - 6. The method of claim 5 wherein X is adjusted for all e-mails having the feature instance corresponding to S.
  - 7. The method of claim 5 wherein X is increased when the suspicion threshold is crossed in a positive direction.
  - 8. The method of claim 5 wherein X is decreased when the suspicion threshold is crossed in a negative direction.
  - 9. The method of claim 4 further comprising, when a score is greater than the malicious threshold, removing from the delay queue all e-mails having a feature instance corresponding to the feature instance having the score that exceeded the malicious threshold.
  - 10. The method of claim 1 wherein the feature vector comprises at least one entry, said method further comprising the steps of:
    - comparing each entry in the feature vector with entries in a pre-established blocked feature instance library; and
      
      when an entry in the feature vector matches an entry in the blocked feature instance library, blocking said e-mail.
  - 11. The method of claim 10 further comprising the step of removing false positives from the blocked feature instance library.
  - 12. The method of claim 1 further comprising the step of updating, for each e-mail, a feature bin table, said updating comprising augmenting the feature bin table with one entry for each instance of each feature.
  - 13. The method of claim 12 wherein each score S has three components:
    - a first component representative of a number of e-mails arriving within a current time window Q;
      
      a decaying weighted value R representing e-mail entries recently deleted from the feature bin table; and
      
      a memory decaying weighted value P taking into account all previously calculated scores S for that feature instance.
  - 14. The method of claim 13 wherein S is calculated using an algorithm containing parameters that are determined empirically.
  - 15. The method of claim 12 wherein each feature bin table entry comprises an identifier of the e-mail and a time stamp.
  - 16. The method of claim 12 further comprising the step of determining whether a current time of arrival of the e-mail exceeds a time of a first entry in the feature bin table for that feature instance by more than a preselected sample time Q, and when the current time so exceeds said time of first entry, placing all feature bin table entries for that feature instance whose times are older than the current time by more than Q into a recently removed entry storage area.
  - 17. The method of claim 1 wherein each score is recalculated whenever a feature vector is calculated.
  - 18. The method of claim 1 wherein the blocking step comprises at least one of the following:
    - alerting a system administrator;
      
      deleting the e-mail;
      
      quarantining the e-mail; and
      
      analyzing the e-mail.
  - 19. The method of claim 1 further comprising the step of updating a virus signature library when a score exceeds the preestablished malicious threshold.
  - 20. The method of claim 1 wherein said plurality of e-mails seek to enter an enterprise from outside the enterprise.
  - 21. The method of claim 1 wherein said plurality of e-mails seek to exit an enterprise en route to locations outside the enterprise.
  - 22. The method of claim 1 wherein at least one preselected feature is a feature from the following group of features:
    - contents of a subject line of the e-mail;
      
      an e- mail attachment;
      
      a hash of an e-mail attachment;
      
      a name of an e-mail attachment;
      
      a size of an e-mail attachment;
      
      a hash of an e-mail body;
      
      parsed script within the e-mail body;
      
      a hash of parsed script within the e-mail body;
      
      parsed script within an e- mail attachment;
      
      a hash of parsed script within an e-mail attachment.

23. A computer-readable medium containing computer program instructions for detecting the presence of malicious computer code in a plurality of e-mails, said computer program instructions performing, for each e-mail, the steps of:
- calculating a feature vector, said feature vector being representative of a presence of at least one preselected feature in the e-mail;
  
  calculating at least one score based upon said feature vector, each said score being representative of a frequency of occurrence of an instance of a feature;
  
  determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and
  
  when a score exceeds a preselected malicious threshold, blocking said e-mail.

24. Apparatus for detecting the presence of malicious computer code in a plurality of e-mails, said apparatus comprising:
- first calculating means for calculating a feature vector for each e-mail, said feature vector being representative of a presence of at least one preselected feature in the e-mail;
  
  second calculating means for calculating for each e-mail at least one score based upon said feature vector, each said score being representative of a frequency of occurrence of an instance of a feature;
  
  coupled to the second calculating means, means for determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and
  
  coupled to the determining means, means for blocking said e-mail when a score exceeds a preselected malicious threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kissel, Timo S.

Granted Patent

US 7,373,664 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

Proactive protection against e-mail worms and spam

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

180 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Proactive protection against e-mail worms and spam

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

180 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others