Method and apparatus for detecting zombie-generated spam
First Claim
1. A method for detecting a zombie attack in a network having a plurality of computers comprising:
- determining, for each computer in said plurality of computers, a working set of email addresses associated with emails sent by said each computer; and
detecting a zombie attack by at least one of;
determining that at least one computer in said plurality of computers is transmitting more than a threshold rate of emails;
determining that at least one computer in said plurality of computers is transmitting more than a first threshold number of emails to email addresses outside of its associated working set,determining that a first threshold number of computers in said plurality of computers are transmitting email messages to email addresses outside of their associated working set, anddetermining that more than a second threshold number of computers are transmitting more than a second threshold number of emails to a recipient computer.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is a method and system for detecting a zombie attack in a network having a plurality of computers. The method and system include a network analysis module for determining, for each computer, a working set of email addresses associated with emails sent by each computer. A zombie attack is detected by determining at least one of: 1) at least one computer in the plurality is transmitting more than a threshold rate of emails, 2) that at least one of the computers is transmitting more than a first threshold number of emails to email addresses outside of its associated working set, 3) that a first threshold number of computers in the plurality are transmitting email messages to email addresses outside of their associated working set, and 4) that more than a second threshold number of computers are transmitting more than a second threshold number of emails to a recipient computer.
-
Citations
16 Claims
-
1. A method for detecting a zombie attack in a network having a plurality of computers comprising:
-
determining, for each computer in said plurality of computers, a working set of email addresses associated with emails sent by said each computer; and detecting a zombie attack by at least one of; determining that at least one computer in said plurality of computers is transmitting more than a threshold rate of emails; determining that at least one computer in said plurality of computers is transmitting more than a first threshold number of emails to email addresses outside of its associated working set, determining that a first threshold number of computers in said plurality of computers are transmitting email messages to email addresses outside of their associated working set, and determining that more than a second threshold number of computers are transmitting more than a second threshold number of emails to a recipient computer. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for detecting a zombie attack in a network having a plurality of computers comprising:
a network analysis module configured to determine, for each computer in said plurality of computers, a working set of email addresses associated with emails sent by said each computer and configured to detect a zombie attack by at least one of; determining that at least one computer in said plurality of computers is transmitting more than a threshold rate of emails; determining that at least one computer in said plurality of computers is transmitting more than a first threshold number of emails to email addresses outside of its associated working set, determining that more than a first threshold number of computers in said plurality of computers are transmitting email messages to email addresses outside of their associated working set, and determining that more than a second threshold number of computers are transmitting more than a second threshold number of emails to a recipient computer. - View Dependent Claims (8, 9, 10, 11)
-
12. A system for detecting a zombie attack in a network having a plurality of computers comprising:
-
means for determining, for each computer in said plurality of computers, a working set of email addresses associated with emails sent by said each computer; and means for detecting a zombie attack by at least one of; means for determining that at least one computer in said plurality of computers is transmitting more than a threshold rate of emails; means for determining that at least one computer in said plurality of computers is transmitting more than a first threshold number of emails to email addresses outside of its associated working set, means for determining that a first threshold number of computers in said plurality of computers are transmitting email messages to email addresses outside of their associated working set, and means for determining that more than a second threshold number of computers are transmitting more than a second threshold number of emails to a recipient computer. - View Dependent Claims (13, 14, 15, 16)
-
Specification