System and method for detecting sources of abnormal computer network messages

US 20060031464A1
Filed: 05/26/2004
Published: 02/09/2006
Est. Priority Date: 05/07/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting sources of abnormal message traffic on a network, said method comprising the steps of:

a) utilizing an abnormality detection engine to detect said abnormal message traffic; and

b) reporting on said abnormal message traffic.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates generally to a system and method for the monitoring of email and other message traffic on a network. The intent of the monitoring to determine if message traffic is abnormal, thus indicating unwanted messages such as spam. A number of methods may be utilized by the invention to recognize unwanted messages, including the calculation of fanout, the number of messages sent by a unique host, unique email address or domain. Also included is fanin, the number of messages received from unique hosts, unique domains or unique email addresses. Further components consider the number of error messages received from a host, variations in bandwidth from a host, and variations in message content from a host.

53 Citations

View as Search Results

29 Claims

1. A method for detecting sources of abnormal message traffic on a network, said method comprising the steps of:
- a) utilizing an abnormality detection engine to detect said abnormal message traffic; and
  
  b) reporting on said abnormal message traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein said abnormality detection engine consists of one or more of components selected from the set of:
    - a fanout detector, a fanin detector, an error response detector;
      
      a bandwidth variation detector;
      
      or a message content detector.
  - 3. The method of claim 1 wherein said traffic is email.
  - 4. The method of claim 1 wherein said traffic comprises HTTP messages.
  - 5. The method of claim 2, wherein said fanout detector detects an abnormal amount of traffic to multiple hosts from a single address.
  - 6. The method of claim 5, wherein said fanout detector utilizes a threshold to determine said abnormal amount of traffic.
  - 7. The method of claim 2, wherein said fanin detector detects an abnormal amount of traffic from multiple hosts to a single address.
  - 8. The method of claim 7, wherein said fanin detector utilizes a threshold to determine said abnormal amount of traffic.
  - 9. The method of claim 2, wherein said error response detector detects an abnormal amount of error messages.
  - 10. The method of claim 9, wherein said error response detector utilizes a threshold to determine said abnormal amount of error messages.
  - 11. The method of claim 2, wherein said bandwidth variation detector detects a steady rate of messages.
  - 12. The method of claim 11, wherein said bandwidth variation detector utilizes a threshold to determine said steady rate of messages.
  - 13. The method of claim 2, wherein said message content detector detects if messages coming from a single source are largely the same.
  - 14. The method of claim 13, wherein said message content detector utilizes a threshold to determine if said messages coming from a single source are largely the same.

15. A system for detecting sources of abnormal traffic in a network, said system comprising an abnormality detection engine, said abnormality detection engine accepting messages to and from said network and providing a report as output, said abnormality detection engine comprising one or more abnormality detectors, selected from the set of:
- a fanout detector, a fanin detector, an error response detector, a bandwidth variation detector;
  
  or a variation in message content detector.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The system of claim 15 wherein said traffic is email.
  - 17. The system of claim 15 wherein said traffic comprises HTTP messages.
  - 18. The system of claim 15, wherein said fanout detector detects an abnormal amount of traffic to multiple hosts from a single address.
  - 19. The system of claim 18, wherein said fanout detector utilizes a threshold to determine said abnormal amount of traffic.
  - 20. The system of claim 15, wherein said fanin detector detects an abnormal amount of traffic from multiple hosts to a single address.
  - 21. The system of claim 20, wherein said fanin detector utilizes a threshold to determine said abnormal amount of traffic.
  - 22. The system of claim 15, wherein said error response detector detects an abnormal amount of error messages.
  - 23. The system of claim 22, wherein said error response detector utilizes a threshold to determine said abnormal amount of error messages.
  - 24. The system of claim 15, wherein said bandwidth variation detector detects a steady rate of messages.
  - 25. The system of claim 24, wherein said bandwidth variation detector utilizes a threshold to determine said steady rate of messages.
  - 26. The system of claim 15, wherein said message content detector detects if messages coming from a single source are largely the same.
  - 27. The system of claim 26, wherein said message content detector utilizes a threshold to determine if said messages coming from a single source are largely the same.

28. A computer readable medium, for detecting sources of abnormal message traffic on a network, said medium comprising instructions for:
- a) utilizing an abnormality detection engine to detect said abnormal message traffic; and
  
  b) reporting on said abnormal message traffic.
- View Dependent Claims (29)
- - 29. The medium of claim 28 wherein said abnormality detection engine consists of instructions for one or more of a fanout detector, a fanin detector, an error response detector, a bandwidth variation detector;
    - or a variation in message content detector.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PNI Canada Acquireco Corp. (Francisco Partners Management LLC)
Original Assignee
Sandvine Incorporated ULC (Sandvine Corp.)
Inventors
Bowman, Don, Bedi, Harmeet Singh

Granted Patent

US 10,686,680 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 2101/37   E-mail addresses

H04L 43/00   Arrangements for monitoring...

H04L 43/08   Monitoring or testing based...

H04L 43/16   Threshold monitoring

H04L 51/212   using filtering or selectiv...

H04L 61/00   Network arrangements, proto...

H04L 61/30   Managing network names, e.g...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

System and method for detecting sources of abnormal computer network messages

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting sources of abnormal computer network messages

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links