Method for Inferring Maliciousness of Email and Detecting a Virus Pattern
First Claim
1. A method of distinguishing an abnormal e-mail, comprising the steps of:
- decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information;
determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result; and
distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided is a method of distinguishing an abnormal e-mail and determining whether an e-mail is affected with a virus. The method includes the steps of: decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information; determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result; distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule; and when there is an executable attachment file among the header information of the e-mail distinguished as abnormal, determining whether the abnormal e-mail is infected with a virus using distribution of similarity among data. The method effectively distinguishes an abnormal e-mail and determines whether an e-mail is infected with a virus without a database for spam filtering or a database of virus information, and thus is capable of stopping the propagation of new viruses. Therefore, an e-mail server can have a security technique and handle abnormal e-mail in a step before operation of a spam filter server or an antivirus server. Consequently, it is possible to manage a mail server more securely.
-
Citations
19 Claims
-
1. A method of distinguishing an abnormal e-mail, comprising the steps of:
-
decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information; determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result; and distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 19)
-
-
8. A method of determining whether an e-mail is infected with a virus, comprising the steps of:
-
decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information; determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result; distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule; and when there is an executable attachment file in header information of an e-mail distinguished as abnormal, determining whether the abnormal e-mail is infected with a virus using distribution of similarity among data. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method of determining whether an e-mail is infected with a virus, comprising the steps of:
-
when an executable file is attached to a received e-mail, converting and simplifying data of the executable attachment file; normalizing the simplified data of the executable attachment file; obtaining distribution of similarity among data using the normalized data of the executable attachment file; and analyzing the obtained distribution of similarity among data, and when a previously set dense distribution pattern exists, determining that the executable attachment file is infected with a virus. - View Dependent Claims (18)
-
Specification