Method for Inferring Maliciousness of Email and Detecting a Virus Pattern

US 20100077480A1
Filed: 12/08/2006
Published: 03/25/2010
Est. Priority Date: 11/13/2006
Status: Active Grant

First Claim

Patent Images

1. A method of distinguishing an abnormal e-mail, comprising the steps of:

decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information;

determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result; and

distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a method of distinguishing an abnormal e-mail and determining whether an e-mail is affected with a virus. The method includes the steps of: decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information; determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result; distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule; and when there is an executable attachment file among the header information of the e-mail distinguished as abnormal, determining whether the abnormal e-mail is infected with a virus using distribution of similarity among data. The method effectively distinguishes an abnormal e-mail and determines whether an e-mail is infected with a virus without a database for spam filtering or a database of virus information, and thus is capable of stopping the propagation of new viruses. Therefore, an e-mail server can have a security technique and handle abnormal e-mail in a step before operation of a spam filter server or an antivirus server. Consequently, it is possible to manage a mail server more securely.

Citations

19 Claims

1. A method of distinguishing an abnormal e-mail, comprising the steps of:
- decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information;
  
  determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result; and
  
  distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 19)
- - 2. The method of claim 1, wherein the header information comprises a mail header H, an originator section Fr, a recipient section To, and information of an executable attachment file EF.
  - 3. The method of claim 1, wherein when header information is normal, a specific value of 0 is given to the header information, and when header information is abnormal, a specific value of 1 is given to the header information.
  - 4. The method of claim 1, wherein the header information comprises a mail header H, an originator section Fr, a recipient section To, and information of an executable attachment file EF, and when information of the originator section Fr is normal, information of the recipient section To and information of the mail header H are abnormal, and the executable attachment file EF exists, the logical inference rule classifies an e-mail to which the packet belongs as abnormal.
  - 5. The method of claim 1, wherein the header information comprises a mail header H, an originator section Fr, a recipient section To, and information of an executable attachment file EF, and when information of the originator section Fr is abnormal, information of the recipient section To is normal, information of the mail header H is abnormal, and the executable attachment file EF exists, the logical inference rule classifies an e-mail to which the packet belongs as abnormal.
  - 6. The method of claim 1, wherein the header information comprises a mail header H, an originator section Fr, a recipient section To, and information of an executable attachment file EF, and when information of the originator section Fr and information of the recipient section To are abnormal, information of the mail header H is normal, and the executable attachment file EF exists, the logical inference rule classifies an e-mail to which the packet belongs as abnormal.
  - 7. The method of claim 1, wherein the header information comprises a mail header H, an originator section Fr, a recipient section To, and information of an executable attachment file EF, and when information of the originator section Fr, information of the recipient section To, and information of the mail header H is abnormal, the logical inference rule classifies an e-mail to which the packet belongs as abnormal.
  - 19. A computer-readable recording medium storing a program capable of executing the method of any one of claims 1 to 18.

8. A method of determining whether an e-mail is infected with a virus, comprising the steps of:
- decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information;
  
  determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result;
  
  distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule; and
  
  when there is an executable attachment file in header information of an e-mail distinguished as abnormal, determining whether the abnormal e-mail is infected with a virus using distribution of similarity among data.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8, wherein the step of determining whether the abnormal e-mail is infected with a virus comprises the steps of:
    - converting and simplifying data of the executable attachment file;
      
      normalizing the simplified data of the executable attachment file;
      
      obtaining distribution of similarity among data using the normalized data of the executable attachment file; and
      
      analyzing the obtained distribution of similarity among data, and when a previously set dense distribution pattern exists, determining that the executable attachment file is infected with a virus.
  - 10. The method of claim 9, wherein the distribution of similarity among data is obtained by generating an optimized codemap of the normalized data of the executable attachment file and then constructing a new matrix on the basis of average values of surrounding values.
  - 11. The method of claim 8, wherein the header information comprises a mail header H, an originator section Fr, a recipient section To, and information of an executable attachment file EF.
  - 12. The method of claim 8, wherein when header information is normal, a specific value of 0 is given to the header information, and when header information is abnormal, a specific value of 1 is given to the header information.
  - 13. The method of claim 8, wherein the header information comprises a mail header H, an originator section Fr, a recipient section To, and information of an executable attachment file EF, and when information of the originator section Fr is normal, information of the recipient section To and information of the mail header H are abnormal, and the executable attachment file EF exists, the logical inference rule classifies an e-mail to which the packet belongs as abnormal.
  - 14. The method of claim 8, wherein the header information comprises a mail header H, an originator section Fr, a recipient section To, and information of an executable attachment file EF, and when information of the originator section Fr is abnormal, information of the recipient section To is normal, information of the mail header H is abnormal, and the executable attachment file EF exists, the logical inference rule classifies an e-mail to which the packet belongs as abnormal.
  - 15. The method of claim 8, wherein the header information comprises a mail header H, an originator section Fr, a recipient section To, and information of an executable attachment file EF, and when information of the originator section Fr and information of the recipient section To are abnormal, information of the mail header H is normal, and the executable attachment file EF exists, the logical inference rule classifies an e-mail to which the packet belongs as abnormal.
  - 16. The method of claim 8, wherein the header information comprises a mail header H, an originator section Fr, a recipient section To, and information of an executable attachment file EF, and when information of the originator section Fr, information of the recipient section To, and information of the mail header H are abnormal, the logical inference rule classifies an e-mail to which the packet belongs as abnormal.

17. A method of determining whether an e-mail is infected with a virus, comprising the steps of:
- when an executable file is attached to a received e-mail, converting and simplifying data of the executable attachment file;
  
  normalizing the simplified data of the executable attachment file;
  
  obtaining distribution of similarity among data using the normalized data of the executable attachment file; and
  
  analyzing the obtained distribution of similarity among data, and when a previously set dense distribution pattern exists, determining that the executable attachment file is infected with a virus.
- View Dependent Claims (18)
- - 18. The method of claim 17, wherein the distribution of similarity among data is obtained by generating an optimized codemap of the normalized data of the executable attachment file and then constructing a new matrix on the basis of average values of surrounding values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Original Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Inventors
Yoo, In Seon

Granted Patent

US 8,677,490 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06Q 10/107 Computer-aided management o...

Method for Inferring Maliciousness of Email and Detecting a Virus Pattern

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method for Inferring Maliciousness of Email and Detecting a Virus Pattern

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links