Systems and methods for adaptive message interrogation through multiple queues

US 7,089,590 B2
Filed: 09/02/2005
Issued: 08/08/2006
Est. Priority Date: 03/08/2002
Status: Expired due to Term

First Claim

Patent Images

1. A security system for interrogation of a communication transmitted over a communication network, the system comprising:

a) receiving means for receiving a communication transmitted over a communication network;

b) storing means for storing a received communication and a plurality of index queues;

c) assignment means for assigning a selected index to a stored communication;

d) interrogation engine management means for executing a plurality of interrogation engines, wherein the interrogation engines have a test type and an index queue in a queue data store associated with it, and wherein the interrogation engines;

1) monitors its associated index queue for a placed index;

2) retrieves the communication associated with the placed index from a message data store;

3) assesses the retrieved communication against a set of one or more criteria related to the interrogation engine'"'"'s test type; and

4) outputs an assessment indicator indicating results of assessing the retrieved communication with respect to the set of one or more criteria; and

e) index placement means for placing the selected index in an index queue associated with an interrogation engine, wherein the index placement means places the selected index into the index queue of a first interrogation engine responsive to assignment of the selected index by the index assignment means and wherein the index placement means places the selected index into the index queue associated with an interrogation engine having a type differing from any interrogation engine that previously assessed the communication associated with the selected index responsive to an assessment indicator output by an interrogation engine that previously assessed the communication.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to systems and methods for enhancing electronic communication security. An electronic communication is received and stored. A plurality of risk assessments are made with respect to the received communication thereby generating a risk profile associated with the communication. The assessments are made in a sequential manner by assigning the stored communication and index and serially placing the index on queue associated with interrogation engines that perform the various assessments. The index is initially placed in a queue associated with an interrogation engine performing the first type of assessment on the communication. The index is placed in a subsequent queue only after the interrogation engine associated with the prior queue in which the index was placed has assessed the communication. This is repeated until all desired assessments have been performed. Each assessment may result in the output of an assessment indicator that indicates the results of the particular assessment.

389 Citations

20 Claims

1. A security system for interrogation of a communication transmitted over a communication network, the system comprising:
- a) receiving means for receiving a communication transmitted over a communication network;
  
  b) storing means for storing a received communication and a plurality of index queues;
  
  c) assignment means for assigning a selected index to a stored communication;
  
  d) interrogation engine management means for executing a plurality of interrogation engines, wherein the interrogation engines have a test type and an index queue in a queue data store associated with it, and wherein the interrogation engines;
  
  1) monitors its associated index queue for a placed index;
  
  2) retrieves the communication associated with the placed index from a message data store;
  
  3) assesses the retrieved communication against a set of one or more criteria related to the interrogation engine'"'"'s test type; and
  
  4) outputs an assessment indicator indicating results of assessing the retrieved communication with respect to the set of one or more criteria; and
  
  e) index placement means for placing the selected index in an index queue associated with an interrogation engine, wherein the index placement means places the selected index into the index queue of a first interrogation engine responsive to assignment of the selected index by the index assignment means and wherein the index placement means places the selected index into the index queue associated with an interrogation engine having a type differing from any interrogation engine that previously assessed the communication associated with the selected index responsive to an assessment indicator output by an interrogation engine that previously assessed the communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, wherein the received communication comprises an e-mail communication, an HTTP communication, an FTP communication, a WAIS communication, a telnet communication, a Gopher communication, instant messaging or voice over internet protocol.
  - 3. The system of claim 1, wherein the plurality of interrogation engines comprises one or more further interrogation engines having a type differing from any interrogation engine that previously assessed the communication associated with the selected index and wherein the assignment means, responsive to an assessment indicator output by an interrogation engine, places the selected index in an index queue associated with an interrogation engine having a type differing from any interrogation engine that previously assessed the communication associated with the selected index.
  - 4. The system of claim 1, wherein the plurality of interrogation engines comprises intrusion detection, virus detection, spam detection or policy violation detection.
  - 5. The system of claim 1, wherein the assessment indicator output by an interrogation engine comprises a risk level associated with received communication with respect to the interrogation engine'"'"'s test type.
  - 6. The system of claim 1, wherein the assessment indicator output by an interrogation engine is output only if the interrogation engine'"'"'s assessment of the received communication with respect to the set of one or more criteria determines that the received communication meets a threshold risk level.
  - 7. The system of claim 1, wherein the assessment indicator signal triggers a notification, the notification comprising an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or SMNP alert, wherein the notification comprises a test type associated with the interrogation engine outputting the assessment indicator.
  - 8. The system of claim 1, wherein the assignment means deletes an interrogation engine from the plurality of interrogation engines based upon loading of existing interrogation engines in the plurality of interrogation engines.
  - 9. The system of claim 1, wherein the storing means further comprises a configuration data store capable of storing configuration information based upon data accumulated from received communications, and wherein the assignment means further determines a next interrogation engine based upon configuration information stored in the storing means.
  - 10. The system of claim 1, wherein the storing means comprises volatile memory, non-volatile memory, or combinations thereof.
  - 11. The system of claim 1, further comprising a firewall communication interface communicatively coupling the system to a firewall system, wherein the system receives the communication via the firewall communication interface.
  - 12. The system of claim 1, further comprising a firewall communication interface communicatively coupling the system to a firewall system, wherein the received communication originates from a system connected to the communications network with a destination address external to the communications network.
  - 13. The system of claim 1, wherein the system further comprises forwarding means for forwarding the received communication to its destination.
  - 14. The system of claim 1, wherein the interrogation engine management means further outputs an overall indicator signal responsive to one or more assessment indicators respectively output from the plurality of interrogation engines.
  - 15. The system of claim 1, wherein the system further takes a corrective measure responsive to one or more assessment indicators respectively output from the plurality of interrogation engines.
  - 16. The system of claim 15, wherein the corrective measure comprises conveying a notification to an administrator, refusing acceptance of further communications from the source of the received communication, quarantine of the received communication, stripping the received communication of identified content, throttling excessive numbers of incoming connections per second to manageable levels for the communication network, or otherwise throttling the sender or flagging the received communication.

17. A method of interrogating a communication transmitted over a communication network, the method comprising the steps of:
- a) receiving data transmitted over a communication network;
  
  b) assigning an interrogation index to the received data;
  
  c) executing a plurality of interrogation engines, wherein the interrogation engines are of a different type and have interrogation queues associated with the interrogation engines, respectively, wherein the interrogation engines are configured to perform an assessment of the received data responsive to position of the received data in the associated interrogation queue;
  
  d) successively placing the interrogation index into the interrogation queues associated with the plurality of interrogation engines, respectively.

18. A system for interrogating a communication transmitted over a communication network, comprising:
- a) a communications interface configured to receive data transmitted over a communication network, and transmit interrogated data to an intended destination;
  
  b) indexing logic configured to index the received data into one of a plurality of interrogation queues, the indexing logic being further configured to guide the received data through the interrogation queues; and
  
  c) a plurality of interrogation engines, the interrogation engines being respectively associated with the plurality of interrogation queues, the interrogation engines being configured to perform tests on the received data, the plurality of interrogation engines producing interrogated data comprising the received data and the interrogation results;
  
  wherein the interrogation engines perform tests on the received data prior to sending interrogated data to the communications interface for transmission to the intended destination.

19. A system for detecting anomalies in data communications on a communications network, comprising:
- a data layer configured to receive unprocessed data from a communications network, and transmit processed data to an intended destination via the communications network;
  
  a queuing layer configured to queue unprocessed data for a plurality of interrogation engines;
  
  an interrogation layer configured to receive unprocessed data from the queuing layer and perform a plurality of tests on the unprocessed data responsive to a plurality of interrogation engines, wherein the interrogation engines produce a plurality of output logs; and
  
  an anomaly detection layer configured to receive the plurality of output logs from the interrogation layer, wherein the anomaly detection engine uses configuration data and the output log to detect anomalies in the unprocessed data, and wherein the anomaly detection layer is configured to output alerts responsive to the anomaly detection engine.

20. One or more computer readable memories for storing index queues for access by a plurality of interrogation engines, said interrogation engines being executable on a data processing system, wherein an interrogation queue comprises a data structure that stores an index;
- wherein the index is used in processing a communication received over a communication interface;
  
  wherein an index queue is associated with an interrogation engine having a test type, wherein an index is assigned to a communication received over the communication interface, the index comprising a queue place index and a queue select index;
  
  wherein an interrogation engine;
  
  1) monitors its associated index queue for the queue place index;
  
  2) retrieves the communication responsive to the queue place index;
  
  3) assesses the retrieved communication against a set of one or more criteria related to the interrogation engine'"'"'s test type; and
  
  4) outputs an assessment indicator indicating results of assessing the retrieved communication with respect to the set of one or more criteria;
  
  wherein the index is updated responsive to the interrogation engine output;
  
  wherein the queue select index identifies at least one of the index queues, and is initially placed into the index queue associated with a first interrogation engine, wherein the first interrogation engine has a first test type;
  
  wherein, responsive to the assessment indicator output by the first interrogation engine, the queue select index is placed into the index queue associated with a second interrogation engine, wherein the second interrogation engine has a second test type that differs from the first test type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Ciphertrust, Incorporated (McAfee, LLC)
Inventors
Judge, Paul, Rajan, Guru
Primary Examiner(s)
Song, Hosuk

Application Number

US11/218,689
Publication Number

US 20060021055A1
Time in Patent Office

340 Days
Field of Search

726 22- 25, 709/200, 709223-225, 709/229
US Class Current

726/22
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Systems and methods for adaptive message interrogation through multiple queues

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

389 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for adaptive message interrogation through multiple queues

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

389 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links