Systems and Methods For Message Threat Management

US 20060265747A1
Filed: 07/12/2006
Published: 11/23/2006
Est. Priority Date: 03/08/2002
Status: Active Grant

First Claim

Patent Images

1-38. -38. (canceled)

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical term. Features are extracted from the reduced threat information; these features in conjuntion with configuration data such as goals are used to produce rules. In some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within an acceptable margin of error. The rules are then propagated to one or more application layer security systems.

269 Citations

62 Claims

1-38. -38. (canceled)

39. A method for operation upon one or more data processors to assign a reputation to a messaging entity, comprising:
- receiving data that identifies one or more characteristics related to a messaging entity'"'"'s communication;
  
  determining a reputation score associated with the received communication based upon the identification data;
  
  wherein the determined reputation score is indicative of reputation of the messaging entity;
  
  wherein the determined reputation score is used in deciding what action is to be taken with respect to communication associated with the messaging entity.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 40. The method of claim 39, wherein the determined reputation score is distributed to one or more computer systems for use in filtering transmissions.
  - 41. The method of claim 39, wherein the determined reputations core is locally distributed to a program for use in filtering transmissions.
  - 42. The method of claim 39, further comprising:
    - determining reputation indicative probabilities based upon the received identification data;
      
      wherein a reputation indicative probability indicates reputability of a messaging entity based upon extent to which the identified one or more communication'"'"'s exhibit or conform to one or more reputation-related criteria.
  - 43. The method of claim 42, wherein a type of messaging entity to which reputations are assigned is a domain name, IP address phone number, or individual electronic address or username representing an organization, computer, a message, or individual user that transmits electronic messages.
  - 44. The method of claim 39 further comprising:
    - determining reputation indicative probabilities based upon the received identification data;
      
      wherein a reputation indicative probability indicates reputability of a messaging entity based upon extent to which the identified one or more communication'"'"'s characteristics exhibit or conform to one or more reputation-related criteria;
      
      wherein determining the reputation score includes determining the reputation score based upon aggregation of the determined probabilities.
  - 45. The method of claim 39, wherein the communication comprises one of an electronic message communication, a VoIP communication, an HTTP communication, a FTP communication, an SMS communication, or a MMS communication.
  - 46. The method of claim 39, further comprising the step of adjusting the reputation of the messaging entity based upon the determined reputation score.
  - 47. The method of claim 39, further comprising signing the communication and subparts of the communication;
    - determining whether the message has been altered based upon signatures produced by the signing step.
  - 48. The method of claim 39, further comprising:
    - comparing the reputation associated with a first messaging entity to the reputation of a second messaging entity, wherein the first and second messaging entities are associated with each other; and
      
      , reconciling any differences between the first and second messaging entity.
  - 49. The method of claim 48, wherein the first messaging entity is a phone number, and the second messaging entity is an internet protocol address associated with the phone number.

50. A method of performing transmission filtering utilizing reputation scores of transmission sender, the method comprising:
- identifying at least one characteristic about a transmission from a sender;
  
  performing a real-time query to a reputation system that includes the transmission characteristic;
  
  receiving a score representing reputation related to the transmission;
  
  performing an action on the transmission from the sender corresponding to the score range of the sender'"'"'s reputation.
- View Dependent Claims (51, 52, 53, 54)
- - 51. The method of claim 50, wherein the action includes at least one of the following actions:
    - rejecting all further transmission from that sender for a period of time or number of transmissions;
      
      silently dropping all further transmissions from that sender for a period of time or number of transmissions;
      
      quarantining all further transmissions from that sender for a period of time or number of transmissions;
      
      or bypassing certain filtering tests for all further transmissions from that sender for a period of time or number of transmissions.
  - 52. The method of claim 50, wherein the step of identifying at least one characteristic includes extracting unique origination information about the transmission, or authenticating unique origination information about the transmission, or combinations thereof.
  - 53. The method of claim 52, wherein the unique origination information includes information about the sender of the transmission.
  - 54. The method of claim 50, wherein the step of identifying at least one characteristic includes extracting a signature from the transmission or performing a hash of the transmission.

55. A method of performing filtering of groups of transmissions utilizing reputation scores of senders of transmissions, the method comprising:
- grouping multiple transmissions together based on content similarities or similarities in transmission sender behavior;
  
  identifying at least one characteristic about each transmission in the groupings;
  
  performing a query to the reputation system and receiving a score representing reputation of each sender;
  
  classifying groups of transmissions based on the percentage of reputable and non-reputable senders in the group.
- View Dependent Claims (56, 57)
- - 56. The method of claim 55, wherein the step of identifying at least one characteristic includes extracting unique origination information about the transmission, or authenticating unique origination information about the transmission, or combinations thereof.
  - 57. The method of claim 56, wherein the unique origination information includes information about the sender of a transmission.

58. A method of performing tuning and training of filtering systems utilizing reputation scores of senders of transmissions in sets of trainable transmissions, the method comprising:
- identifying at least one characteristic about transmissions from senders;
  
  performing queries to a reputation system and receiving scores representing reputations of the senders;
  
  classifying transmissions into multiple categories based on a range a sender'"'"'s reputation score falls into;
  
  passing on transmissions and their classification categories to a trainer of another filtering system to be used for optimization of the filtering system.
- View Dependent Claims (59, 60)
- - 59. The method of claim 58, wherein the step of identifying at least one characteristic includes extracting unique origination information about the transmissions, or authenticating unique origination information about the transmissions, or combinations thereof.
  - 60. The method of claim 59, wherein the unique origination information includes information about the sender of the transmissions.

61. An article of manufacture comprising a digital signal for transmission using a network;
- wherein the digital signal includes a query to a reputation process;
  
  wherein the reputation process assigns a reputation to a messaging entity by receiving the query containing data related to a messaging entity'"'"'s identity;
  
  wherein the identity data is used by the reputation process to determine reputation indicative probabilities;
  
  wherein a reputation indicative probability indicates reputability of a messaging entity based upon extent to which the messaging entity exhibits or conforms to a reputation-related criterion;
  
  wherein a reputation score is determined based upon aggregation of the determined probabilities;
  
  wherein the determined reputation score is indicative of reputation of the messaging entity;
  
  wherein the determined reputation score is used in deciding what action is to be taken with respect to a communication associated with the messaging entity.
- View Dependent Claims (62)
- - 62. The digital signal of claim 61, wherein a filtering system generates the digital signal and the reputation process receives the digital signal;
    - wherein the digital signal includes packetized data that is transmitted through the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Ciphertrust, Incorporated (McAfee, LLC)
Inventors
Judge, Paul

Granted Patent

US 8,069,481 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 51/212   using filtering or selectiv...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Systems and Methods For Message Threat Management

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

269 Citations

62 Claims

Specification

Use Cases

Quick Links

Others

Systems and Methods For Message Threat Management

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

269 Citations

62 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others