SYSTEM AND METHODS FOR DETECTING MALICIOUS EMAIL TRANSMISSION

US 20100169970A1
Filed: 12/08/2009
Published: 07/01/2010
Est. Priority Date: 08/16/2001
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring transmission of email through a computer system, said computer system comprising a server and one or more clients having an email account, the method comprising:

(a) gathering statistics relating to the transmission behavior of email relating to a first email account on said computer system; and

(b) generating a profile relating to the transmission behavior of email relating to said first email account based on said statistics.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.

135 Citations

View as Search Results

23 Claims

1. A method for monitoring transmission of email through a computer system, said computer system comprising a server and one or more clients having an email account, the method comprising:
- (a) gathering statistics relating to the transmission behavior of email relating to a first email account on said computer system; and
  
  (b) generating a profile relating to the transmission behavior of email relating to said first email account based on said statistics.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, wherein gathering statistics relating to the transmission behavior of email comprises gathering statistics relating to the email addresses of emails sent to said first email account.
  - 3. The method according to claim 1, wherein gathering statistics relating to the transmission behavior of email comprises gathering statistics relating to the email addresses of email sent by said first email account.
  - 4. The method according to claim 1, wherein gathering statistics relating to the transmission behavior of email comprises gathering statistics relating to the number of emails sent by said first email account.
  - 5. The method according to claim 1, wherein gathering statistics relating to the transmission behavior of email comprises gathering statistics relating to the transmission of email between said first email account and one or more additional email accounts.
  - 6. The method according to claim 5, wherein gathering statistics relating to the transmission behavior of email comprises gathering statistics relating to the number of emails transmitted between said first email account and said one or more additional email accounts.
  - 7. The method according to claim 6, wherein generating a profile relating to the transmission behavior of email comprises ordering said one or more additional email accounts according to the number of emails transmitted between said first email account and each of said respective additional email accounts.
  - 8. The method according to claim 6, wherein generating a profile relating to the transmission behavior of email comprises grouping said one or more additional email accounts according to the number of emails transmitted between said first email account and each of said respective additional email accounts.
  - 9. The method according to claim 5, wherein generating a profile relating to the transmission behavior of email comprises grouping said one or more additional email accounts according to the domain of each of said additional email accounts.
  - 10. The method according to claim 1, wherein gathering statistics relating to the transmission behavior of email further comprises assigning a unique identifier to each email sent to said first email account.
  - 11. The method according to claim 5, wherein gathering statistics relating to the transmission behavior of email further comprises assigning a unique identifier to each email sent between said first email account and one or more additional email accounts.
  - 12. The method according to claim 5 further comprising:
    - (a) gathering statistics related to the transmission of selected email between said first email account and said one or more additional email accounts; and
      
      (b) comparing said statistics relating to transmission behavior of selected email with said generated profile.

13. A method for monitoring transmission of email through a computer system, said computer system comprising a server and one or more clients having an email account, the method comprising:
- (a) defining a model relating to prior transmission of email through said computer system derived from statistics relating to transmission behavior of prior emails transmitted through said computer system;
  
  (b) generating a baseline profile relating to the transmission behavior of email through said computer system;
  
  (c) gathering statistics relating to transmission behavior of selected email through said computer system; and
  
  (d) comparing said statistics relating to transmission behavior of selected email with said baseline profile.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The method according to claim 13, where said model relating to prior transmission of email is based on the number of emails transmitted through said computer system during a specified period of time.
  - 15. The method according to claim 14, wherein defining a model comprises defining a histogram of prior transmission of email through the computer system.
  - 16. The method according to claim 15, wherein gathering statistics relating to transmission of selected email through said computer system further comprises defining a histogram of said selected email.
  - 17. The method according to claim 16, wherein comparing said statistics relating to transmission behavior of selected email with said baseline profile comprises comparing said histogram of prior transmission of email to said histogram of selected transmission of email through said computer system.
  - 18. The method according to claim 17, wherein comparing said histogram of prior transmission of email to said histogram of selected transmission of email comprises performing a Mahalanobis distance analysis.
  - 19. The method according to claim 17, wherein comparing said histogram of prior transmission of email to said histogram of selected transmission of email comprises performing a Kolmogorov-Simironov test.
  - 20. The method according to claim 17, wherein comparing said histogram of prior transmission of email to said histogram of selected transmission of email comprises performing a Chi-square test.
  - 21. The method according to claim 18 further comprising setting a threshold value and comparing said histogram difference to said threshold value to determine whether selected email transmission behavior is normal.
  - 22. The method according to claim 19 further comprising setting a threshold value and comparing said histogram difference to said threshold value to determine whether selected email transmission behavior is normal.
  - 23. The method according to claim 20 further comprising setting a threshold value and comparing said histogram difference to said threshold value to determine whether selected email transmission behavior is normal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Eleazar Eskin, Manasi Bhattacharyya, Salvatore J. Stolfo, Shlomo Herskop
Original Assignee
Eleazar Eskin, Manasi Bhattacharyya, Salvatore J. Stolfo, Shlomo Herskop
Inventors
Herskop, Shlomo, Eskin, Eleazar, Stolfo, Salvatore J., Bhattacharyya, Manasi

Granted Patent

US 8,443,441 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

SYSTEM AND METHODS FOR DETECTING MALICIOUS EMAIL TRANSMISSION

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

135 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHODS FOR DETECTING MALICIOUS EMAIL TRANSMISSION

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

135 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links