TECHNIQUE FOR DETECTING SUSPICIOUS ELECTRONIC MESSAGES

US 20180082062A1
Filed: 09/18/2017
Published: 03/22/2018
Est. Priority Date: 09/19/2016
Status: Active Grant

First Claim

Patent Images

1. A method of detecting suspicious electronic messages, wherein the method is performed in a messaging server which is in communication with a plurality of message senders and a plurality of message receivers, wherein the method comprises the steps of:

receiving electronic messages sent from the plurality of message senders to at least one message receiver;

extracting from each received message at least one message sender feature AF and at least one message content feature CF;

recording the extracted at least one message sender features AF and at least one message content features CF in a database;

determining, on the basis of the message content features CFs recorded in the database, whether a specific content feature that can be associated with a current message has already been recorded in the past;

if the specific content feature has already been recorded in the past, determining, on the basis of the message sender features AFs recorded in the database, a number N of message senders that can be associated with the specific content feature; and

classifying the current message as suspicious if the determined number N of message senders that can be associated with the specific content feature exceeds a predetermined threshold value N1.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure relates to a method of detecting suspicious electronic messages. The method is performed in a messaging server which is in communication with a plurality of message senders and a plurality of message receivers, and comprises the steps of: receiving electronic messages sent from the plurality of message senders to at least one message receiver; extracting from each received message at least one message sender feature and at least one message content feature; recording the extracted message sender features and message content features in a database; determining, on the basis of the message content features recorded in the database, whether a specific content feature that can be associated with a current message has already been recorded in the past; if the specific content feature has already been recorded in the past, determining, on the basis of the message sender features recorded in the database, a number of message senders that can be associated with the specific content feature; and classifying the current message as suspicious if the determined number of message senders that can be associated with the specific content feature exceeds a predetermined threshold value. Also disclosed is a messaging server implementing the above described method.

Citations

17 Claims

1. A method of detecting suspicious electronic messages, wherein the method is performed in a messaging server which is in communication with a plurality of message senders and a plurality of message receivers, wherein the method comprises the steps of:
- receiving electronic messages sent from the plurality of message senders to at least one message receiver;
  
  extracting from each received message at least one message sender feature AF and at least one message content feature CF;
  
  recording the extracted at least one message sender features AF and at least one message content features CF in a database;
  
  determining, on the basis of the message content features CFs recorded in the database, whether a specific content feature that can be associated with a current message has already been recorded in the past;
  
  if the specific content feature has already been recorded in the past, determining, on the basis of the message sender features AFs recorded in the database, a number N of message senders that can be associated with the specific content feature; and
  
  classifying the current message as suspicious if the determined number N of message senders that can be associated with the specific content feature exceeds a predetermined threshold value N1.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method according to claim 1, further comprising generating timestamps ts and recording the timestamps ts along with the extracted message sender features AFs and message content features CFs in the database.
  - 3. The method according to claim 2, wherein the recording step further comprises:
    - organizing the time-stamped message sender features AFs and message content features CFs into at least one index data structure IDX1, IDX2.
  - 4. The method according to claim 3, wherein the time-stamped message sender features AFs and message content features CFs are recorded in two separate index data structures, wherein a first index data structure IDX1 comprises a data set (ts, CF) of time-stamped message content features CFs and a second index data structure IDX2 comprises a data set (ts, CF, AF) of time-stamped message content features CFs and message sender features AFs.
  - 5. The method according to claim 1, wherein the step of determining whether specific content features has already been recorded in the database comprises:
    - performing an identity or similarity check between the message content feature CF associated with the current message and the recorded message content features CFs in the database.
  - 6. The method according to claim 5, wherein a database look-up is performed in order to determine whether a content feature record identical or similar to the specific content feature already exists in the database for a predetermined time window in the past.
  - 7. The method according to claim 5, wherein if a message content feature record identical or similar to the specific content feature already exists in the database for a predetermined time window, determining how many message sender features AFs can be related to the existing content feature record for the predetermined time window.
  - 8. The method according to claim 6, wherein if a message content feature record identical or similar to the specific content feature already exists in the database for a predetermined time window, determining how many message sender features AFs can be related to the existing content feature record for the predetermined time window.
  - 9. The method according to claim 1, wherein the classifying step further comprises at least one of the following processes:
    - tagging the current message as suspicious message; and
      
      registering the content of the current message as spam or malicious content in a blacklist.
  - 10. The method according to claim 1, wherein if the current message has been classified as suspicious, the method further comprising at least one of the following steps:
    - blocking the current message; and
      
      subjecting the current message to an AV analysis.
  - 11. The method according to claim 10, further comprising:
    - routing the current message to the intended message receiver if the AV analysis reveals that the message is not malicious.
  - 12. The method according to claim 1, wherein the at least one extracted message sender feature AF is indicative of a sender address or sender address portion.
  - 13. The method according to claim 1, wherein the at least one extracted message content feature CF is indicative of an attachment of the message, subject line content of the message, URL comprised in the message and/or portions thereof.
  - 14. A computer program product comprising program code portions for carrying out the method according to claim 1, when the computer program product is executed on a computer device.
  - 15. The computer program product according to claim 14, the computer program product being stored on a non-transitory computer-readable recording medium.

16. A messaging server for detecting suspicious electronic messages, wherein the messaging server is in communication with a plurality of message senders and a plurality of message receivers, the messaging server being configured to receive electronic messages sent from the plurality of message senders to at least one message receiver, the server comprising:
- an analysing unit configured to extract at least one message sender feature AF and at least one message content feature CF from each received message;
  
  a recording unit configured to record the extracted at least one message sender features AF and at least one message content features CF in a database;
  
  a determining unit configured to determine, on the basis of the message content features CFs recorded in the database, whether a specific content feature that can be associated with a current message has already been recorded in the past, and if the specific content feature has already been recorded in the past, to further determine, on the basis of the message sender features AF recorded in the database, a number N of message senders that can be associated with the specific content feature; and
  
  a classifying unit configured to classify the current message as suspicious if the determined number N of message senders that can be associated with the specific content feature exceeds a predetermined threshold value N1.
- View Dependent Claims (17)
- - 17. The messaging server according to claim 16, further comprising a time-stamping unit configured to provide a timestamp is for each extracted message sender feature AF and message content feature CF.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Retarus GmbH
Original Assignee
Retarus GmbH
Inventors
Hager, Martin, Grauvogl, Michael

Granted Patent

US 10,572,664 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/564   by virus signature recognition

H04L 2463/121   Timestamp

H04L 2463/144   Detection or countermeasure...

H04L 51/212   using filtering or selectiv...

H04L 63/123   received data contents, e.g...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/164   at the network layer

H04L 63/308   retaining data, e.g. retain...

TECHNIQUE FOR DETECTING SUSPICIOUS ELECTRONIC MESSAGES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUE FOR DETECTING SUSPICIOUS ELECTRONIC MESSAGES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links