Source reputation information system with router-level filtering of electronic messages

US 20070162587A1
Filed: 03/22/2007
Published: 07/12/2007
Est. Priority Date: 05/25/2004
Status: Active Grant

First Claim

Patent Images

1. A network traffic filtering system for filtering a flow of electronic messages across a computer network interconnected with a plurality of routers configured to route electronic message packets to destination servers, the system comprising:

an engine configured to identify potentially threatening sources based on reputation data associated with the sources;

a profile database associated with the engine for storing the identified sources; and

wherein the engine is further configured to provide connection data to one or more routers associated with a destination server for updating routing tables corresponding to the one or more routers, the connection data preventing identified threatening sources from delivering electronic messages to the destination server via the one or more routers.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are filtering systems and methods that employ an electronic message source reputation system. The source reputation system maintains a pool of source Internet Protocol (IP) address information, in the form of a Real-Time Threat Identification Network (“RTIN”) database, which can provide the reputation of source IP addresses, which can be used by customers for filtering network traffic. The source reputation system provides for multiple avenues of access to the source reputation information. Examples of such avenues can include Domain Name Server (DNS) -type queries, servicing routers with router-table data, or other avenues.

128 Citations

View as Search Results

60 Claims

1. A network traffic filtering system for filtering a flow of electronic messages across a computer network interconnected with a plurality of routers configured to route electronic message packets to destination servers, the system comprising:
- an engine configured to identify potentially threatening sources based on reputation data associated with the sources;
  
  a profile database associated with the engine for storing the identified sources; and
  
  wherein the engine is further configured to provide connection data to one or more routers associated with a destination server for updating routing tables corresponding to the one or more routers, the connection data preventing identified threatening sources from delivering electronic messages to the destination server via the one or more routers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 38, 39)
- - 2. A system according to claim 1, wherein the engine is further configured to generate updated connection data based on updated reputation data associated with the identified potentially threatening sources, and to provide the updated connection data to the one or more routers for further updating the corresponding routing tables.
  - 3. A system according to claim 2, wherein the updated connection data is provided to the one or more routers in real-time.
  - 4. A system according to claim 1, wherein the reputation data comprises at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source;
      
      the number of messages considered legitimate from the source;
      
      the number of recipients on a message sent from the source;
      
      the number of connection attempts from the source;
      
      the number of connection successes from the source;
      
      the number of connection failures from the source;
      
      the number of connection currently open from the source;
      
      the number of 400-class errors caused by messaging attempts by the source;
      
      the number of 500-class errors caused by messaging attempts by the source;
      
      the average message size in bytes sent from the source;
      
      the average connection duration from the source;
      
      the number of messages containing viruses sent from the source;
      
      the number of message delivered from the source; and
      
      an overall number of messages sent from the source.
  - 5. A system according to claim 1, wherein the one or more routers belong to a subscribing customer associated with the destination server, the database further storing filtering preferences of the subscribing customer.
  - 6. A system according to claim 1, wherein potentially threatening sources are identified by an evaluation of the reputation data by the engine.
  - 7. A system according to claim 6, wherein the evaluation comprises generating a reputation score for the potentially threatening sources, the reputation score indicating a likelihood that electronic messages from the potentially threatening sources are unwanted, malicious or harmful.
  - 8. A system according to claim 7, wherein the engine is further configured to change the reputation score based on new reputation data associated with the identified potentially threatening sources.
  - 9. A system according to claim 1, wherein the engine is configured to receive the reputation data from a data source comprising a network traffic monitoring system comprising source data associated with source IP addresses of the sources and destination data associated with destination servers.
  - 10. A system according to claim 9, wherein the engine is further configured to compare the source and destination data to a customer'"'"'s preferences stored in the profile database, and based on the comparison generate a list of potentially threatening sources specific to that customer.
  - 11. A system according to claim 1, wherein the engine is configured to receive the reputation data from a data source comprising a customer system, and the reputation data comprises at least one list selected from the group consisting of blacklists, blocked senders lists, and gray-lists.
  - 12. A system according to claim 1, wherein the engine is configured to receive the reputation data from a data source comprising approved sources selected using a business-based heuristics selection technique.
  - 13. A system according to claim 1, wherein the engine is configured to provide a list of the identified potentially threatening sources to the destination server in response to a query received from the destination server. sources
  - 14. A system according to claim 13, wherein the engine is further configured to authenticate the IP address of the destination server before responding to the query.
  - 15. A system according to claim 1, wherein the connection data prevents the identified threatening sources from delivering electronic messages to the destination server via the one or more routers by redirecting electronic messages from the threatening sources.
  - 16. A system according to claim 1, wherein the connection data causes the one or more routers to drop a connection from the threatening sources.
  - 17. A system according to claim 1, wherein the connection data causes the one or more routers to provide an invalid route for messages sent from the threatening sources.
  - 18. A system according to claim 1, wherein the connection data provided to the one or more routers comprises an update command instructing the one or more routers to update their corresponding routing tables with the connection data.
  - 19. A system according to claim 1, wherein potential threats from the identified sources are selected from the group consisting of a directory harvest attack, a spam attack, a virus outbreak, and a mail bomb/denial-of-service attack.
  - 20. A system according to claim 1, wherein the electronic messages are selected from the group consisting of e-mail, instant messages, VoIP transmissions, video-over-IP transmissions, text messages.
  - 21. A system according to claim 1, wherein the connection data is provided in a Border Gateway Protocol (BGP) to the one or more routers.
  - 22. A system according to claim 1, wherein the source comprises a source IP address.
  - 38. A method according to claim 39, wherein the connection data causes the one or more routers to drop a connection from the threatening sources.
  - 39. A method according to claim 22, wherein the connection data causes the one or more routers to provide an invalid route for messages sent from the threatening sources.

23. A method of filtering a flow of electronic messages across a computer network interconnected with a plurality of routers configured to route electronic message packets to destination servers, the method comprising:
- receiving reputation data associated with a sources;
  
  storing the reputation data;
  
  identifying potentially threatening sources based on the reputation data corresponding to the sources;
  
  providing connection data to one or more routers associated with a destination server for updating routing tables corresponding to the one or more routers, the connection data preventing identified threatening sources from delivering electronic messages to the destination server via the one or more routers.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 40, 41, 42, 43, 44)
- - 24. A method according to claim 23, further comprising:
    - receiving updated reputation data associated with the identified potentially threatening sources;
      
      generating updated connection data based on received updated; and
      
      providing the updated connection data to the one or more routers for further updating the corresponding routing tables.
  - 25. A method according to claim 24, wherein providing updated connection data comprises providing updated connection data to the one or more routers in real-time.
  - 26. A method according to claim 23, wherein the reputation data comprises at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source;
      
      the number of messages considered legitimate from the source;
      
      the number of recipients on a message sent from the source;
      
      the number of connection attempts from the source;
      
      the number of connection successes from the source;
      
      the number of connection failures from the source;
      
      the number of connection currently open from the source;
      
      the number of 400-class errors caused by messaging attempts by the source;
      
      the number of 500-class errors caused by messaging attempts by the source;
      
      the average message size in bytes sent from the source;
      
      the average connection duration from the source;
      
      the number of messages containing viruses sent from the source;
      
      the number of message delivered from the source; and
      
      an overall number of messages sent from the source.
  - 27. A method according to claim 23, wherein the one or more routers belong to a subscribing customer associated with the destination server, the method further comprising storing filtering preferences of the subscribing customer.
  - 28. A method according to claim 23, wherein identifying comprises identifying potentially threatening sources by evaluating the reputation data.
  - 29. A method according to claim 28, wherein the evaluating the reputation data comprises generating a reputation score for the potentially threatening sources, the reputation score indicating a likelihood that electronic messages from the potentially threatening sources are unwanted, malicious or harmful.
  - 30. A method according to claim 29, further comprising changing the reputation score based on new reputation data associated with the identified potentially threatening sources.
  - 31. A method according to claim 23, wherein receiving the reputation data comprises receiving the reputation data from a data source comprising a network traffic monitoring system comprising source data associated with sources and destination data associated with destination servers.
  - 32. A method according to claim 31, wherein the method further comprises comparing the source and destination data to a customer'"'"'s stored preferences, and based on the comparison generating a list of potentially threatening sources specific to that customer.
  - 33. A method according to claim 23, wherein receiving the reputation data comprises receiving the reputation data from a data source comprising a customer system, and the reputation data comprises at least one list selected from the group consisting of blacklists, blocked senders lists, and gray-lists.
  - 34. A method according to claim 23, wherein receiving the reputation data comprises receiving the reputation data from a data source comprising approved sources selected using a business-based heuristics selection technique.
  - 35. A method according to claim 23, further comprising providing a list of the identified potentially threatening sources to the destination server in response to a query received from the destination server.
  - 36. A method according to claim 35, further comprising authenticating the IP address of the destination server before responding to the query.
  - 37. A method according to claim 23, wherein the connection data prevents the identified threatening sources from delivering electronic messages to the destination server via the one or more routers by redirecting electronic messages from the threatening sources.
  - 40. A method according to claim 23, wherein providing the connection data to the one or more routers comprises providing an update command instructing the one or more routers to update their corresponding routing tables with the connection data.
  - 41. A method according to claim 23, wherein identifying potentially threatening sources comprises identifying sources likely to be performing at least one selected from the group consisting of a directory harvest attack, a spam attack, a virus outbreak, and a mail bomb/denial-of-service attack.
  - 42. A method according to claim 23, wherein the electronic messages are selected from the group consisting of e-mail, instant messages, VoIP transmissions, video-over-IP transmissions, text messages.
  - 43. A method according to claim 23, wherein providing the connection data comprises providing the connection data to the one or more routers in a Border Gateway Protocol (BGP).
  - 44. A method according to claim 23, wherein the source comprises a source IP address.

45. A network traffic filtering system for filtering a flow of electronic messages across a computer network interconnected with a plurality of routers configured to route electronic message packets to destination servers, the system comprising:
- an engine configured to identify potentially threatening sources based on evaluating reputation data associated with the sources;
  
  a profile database associated with the engine for storing the identified sources; and
  
  wherein the engine is further configured to;
  
  provide connection data to one or more routers associated with a destination server, the connection data comprising update commands instructing the one or more routers to update their corresponding routing tables to redirect electronic messages sent from the threatening sources and thereby preventing the electronic messages from reaching the destination server, generate updated connection data based on evaluating updated reputation data affecting the identified potentially threatening sources, and provide the updated connection data to the one or more routers for further updating the corresponding routing tables.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52)
- - 46. A system according to claim 45, wherein the updated connection data is provided to the one or more routers in real-time.
  - 47. A system according to claim 45, wherein the reputation data and updated reputation data comprise at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source;
      
      the number of messages considered legitimate from the source;
      
      the number of recipients on a message sent from the source;
      
      the number of connection attempts from the source;
      
      the number of connection successes from the source;
      
      the number of connection failures from the source;
      
      the number of connection currently open from the source;
      
      the number of 400-class errors caused by messaging attempts by the source;
      
      the number of 500-class errors caused by messaging attempts by the source;
      
      the average message size in bytes sent from the source;
      
      the average connection duration from the source;
      
      the number of messages containing viruses sent from the source;
      
      the number of message delivered from the source; and
      
      an overall number of messages sent from the source.
  - 48. A system according to claim 45, wherein the evaluation of the reputation data comprises generating a reputation score for the potentially threatening sources, the reputation score indicating a likelihood that electronic messages from the potentially threatening sources are unwanted, malicious or harmful.
  - 49. A system according to claim 48, wherein the evaluation of the updated reputation data comprises changing the reputation score based on the updated reputation data.
  - 50. A system according to claim 45, wherein the engine is configured to receive the reputation data and updated reputation data from a data source selected from the group consisting of:
    - a network traffic monitoring system comprising source data associated with sources and destination data associated with destination servers;
      
      a customer system, wherein the reputation data or updated reputation data comprises data from blacklists, blocked senders lists, or gray-lists; and
      
      a list of approved sources selected using a business-based heuristics selection technique.
  - 51. A system according to claim 45, wherein the electronic messages are selected from the group consisting of e-mail, instant messages, VoIP transmissions, video-over-IP transmissions, text messages.
  - 52. A system according to claim 45, wherein the source comprises a source IP address.

53. A method of filtering a flow of electronic messages across a computer network interconnected with a plurality of routers configured to route electronic message packets to destination servers, the method comprising:
- receiving reputation data associated with sources;
  
  identifying potentially threatening sources based on an evaluation of the reputation data;
  
  providing connection data to one or more routers associated with a destination server for updating routing tables corresponding to the one or more routers, to redirect electronic messages sent from the threatening sources and thereby preventing the electronic messages from reaching the destination server;
  
  receiving updated reputation data associated with the source;
  
  generating updated connection data based on evaluating updated reputation data associated with the identified potentially threatening sources; and
  
  providing the updated connection data to the one or more routers for further updating the corresponding routing tables.
- View Dependent Claims (54, 55, 56, 57, 58, 59, 60)
- - 54. A method according to claim 53, wherein providing updated connection data comprises providing updated connection data to the one or more routers in real-time.
  - 55. A method according to claim 53, wherein the reputation data comprises at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source;
      
      the number of messages considered legitimate from the source;
      
      the number of recipients on a message sent from the source;
      
      the number of connection attempts from the source;
      
      the number of connection successes from the source;
      
      the number of connection failures from the source;
      
      the number of connection currently open from the source;
      
      the number of 400-class errors caused by messaging attempts by the source;
      
      the number of 500-class errors caused by messaging attempts by the source;
      
      the average message size in bytes sent from the source;
      
      the average connection duration from the source;
      
      the number of messages containing viruses sent from the source;
      
      the number of message delivered from the source; and
      
      an overall number of messages sent from the source.
  - 56. A method according to claim 53, wherein the evaluating the reputation data comprises generating a reputation score for the potentially threatening sources, the reputation score indicating a likelihood that electronic messages from the potentially threatening sources are unwanted, malicious or harmful.
  - 57. A system according to claim 56, wherein the evaluating the updated reputation data comprises changing the reputation score based on the updated reputation data.
  - 58. A method according to claim 53, wherein receiving the reputation data and updated reputation data comprises receiving the reputation data and updated reputation data from a data source selected from the group consisting of:
    - a network traffic monitoring system comprising source data associated with sources and destination data associated with destination servers;
      
      a customer system, wherein the reputation data or updated reputation data comprises data from blacklists, blocked senders lists, or gray-lists; and
      
      a list of approved sources selected using a business-based heuristics selection technique.
  - 59. A system according to claim 53, wherein the electronic messages are selected from the group consisting of e-mail, instant messages, VoIP transmissions, video-over-IP transmissions, text messages.
  - 60. A method according to claim 53, wherein the source comprises a source IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Postini, Inc. (Alphabet Inc.)
Inventors
Lund, Peter, Carroll, Dorion, Petry, Scott, Croteau, Craig, Okumura, Kenneth

Granted Patent

US 8,001,268 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/0236   Filtering by address, proto...

H04L 63/068   using time-dependent keys, ...

H04L 63/126   the source of the received ...

H04L 67/306   User profiles

H04L 67/564   Enhancement of application ...

H04L 67/63   Routing a service request d...

Source reputation information system with router-level filtering of electronic messages

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

128 Citations

60 Claims

Specification

Use Cases

Quick Links

Others

Source reputation information system with router-level filtering of electronic messages

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

60 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others