Systems and methods for message threat management

US 7,096,498 B2
Filed: 02/07/2003
Issued: 08/22/2006
Est. Priority Date: 03/08/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method for managing threat information, the method comprising the steps of:

a. receiving threat information from one or more sources selected from the group consisting of application layer security systems, spain databases, a virus information databases, and intrusion information databases;

b. reducing the received threat information into a canonical form;

c. extracting features from the reduced threat information by applying one or more regular expressions;

d. selecting a goal set of one or more threat management goals based at least in part upon a selected application layer security system from the plurality of application layer security systems, wherein the goal set comprises one or more values of a type selected from the group of effectiveness values, accuracy values, efficiency values and false positive values;

e. generating a candidate rule set of one or more threat rules based upon the extracted features and the goal set;

f. testing the candidate rule set against one or more sets of test data;

g. refining the candidate rule set if the evaluation of the rule set fails to satisfy a predetermined confidence level; and

h. transmitting the candidate or refined rule set to at least one application layer security system.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features are extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules. In some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within an acceptable margin of error. The rules are then propagated to one or more application layer security systems.

750 Citations

19 Claims

1. A method for managing threat information, the method comprising the steps of:
- a. receiving threat information from one or more sources selected from the group consisting of application layer security systems, spain databases, a virus information databases, and intrusion information databases;
  
  b. reducing the received threat information into a canonical form;
  
  c. extracting features from the reduced threat information by applying one or more regular expressions;
  
  d. selecting a goal set of one or more threat management goals based at least in part upon a selected application layer security system from the plurality of application layer security systems, wherein the goal set comprises one or more values of a type selected from the group of effectiveness values, accuracy values, efficiency values and false positive values;
  
  e. generating a candidate rule set of one or more threat rules based upon the extracted features and the goal set;
  
  f. testing the candidate rule set against one or more sets of test data;
  
  g. refining the candidate rule set if the evaluation of the rule set fails to satisfy a predetermined confidence level; and
  
  h. transmitting the candidate or refined rule set to at least one application layer security system.

2. A management system for generating and distributing threat detection rules to application layer security systems, the system comprising:
- a. communication means for receiving threat information from one or more sources selected from the group consisting of application layer security systems, spain databases, a virus information databases, and intrusion information databases and for transmitting a generated rule set to at least one application layer security system;
  
  b. rule generation means for;
  
  i. reducing threat information received by the communication means into a canonical form;
  
  ii. extracting features from the reduced threat information by applying one or more regular expressions;
  
  iii. selecting a goal set of one or more threat management goals based at least in part upon a selected application layer security system from the plurality of application layer security systems, wherein the goal set comprises one or more values of a type selected from the group of effectiveness values, accuracy values, efficiency values and false positive values;
  
  iv. generating a candidate rule set of one or more threat rules based upon the extracted features and the goal set;
  
  v. testing the candidate rule set against one or more sets of test data;
  
  vi. refining the candidate rule set if the evaluation of the rule set fails to satisfy a predetermined confidence level; and
  
  vii. providing the candidate or refined rule set to the communication means.

3. An application layer security system, the system comprising:
- a. at least one application server system communication interface communicatively coupling the security system to a communication network allowing communication with one or more other application-layer security systems and a threat management system;
  
  b. a system data store capable of storing an electronic conimunication and accumulated data associated with received electronic communications; and
  
  c. a system processor in communication with the system data store and the at least one application server system communication interface, wherein the system processor comprises one or more processing elements and wherein the system processor;
  
  i. receives an electronic communication directed to or from a selected application server system;
  
  ii. applies one or more tests to the received electronic communication, wherein each of the one or more tests evaluates the received electronic communication for a particular security risk;
  
  iii. stores in the system data store a risk profile associated with the received electronic communication based upon the applied one or more tests, the risk profile identifying one or more security risks in the received electronic communication that were identified by the one or more tests; and
  
  iv. outputs information based upon the stored risk profile to a second application layer security system, a threat management center, a threat pushback system or a combination thereof, wherein the outputted information is used by another system processor to detect electronic communications that include the one or more security risks identified in the risk profile.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 4. The system of claim 3, wherein the received electronic communication comprises an e-mail communication, an HTTP communication, an FTP communication, a WAIS communication, a telnet communication or a Gopher communication.
  - 5. The system of claim 4, wherein the received electronic communication is an e-mail communication.
  - 6. The system of claim 3, wherein each of the one or more tests applied by the system processor comprises intrusion detection, virus detection, spain detection or policy violation detection.
  - 7. The system of claim 3, wherein the system processor applies a plurality of tests.
  - 8. The system of claim 7, wherein the system processor applies each of the plurality of tests in a parallel fashion.
  - 9. The system of claim 7, wherein the system processor applies each of the plurality of tests in a sequential fashion.
  - 10. The system of claim 3, wherein the system processor applies each of the one or more tests based upon configuration information stored in the system data store.
  - 11. The system of claim 3, wherein the system processor outputs the information in the form of an e-mail message, a page, a facsimile, an telephone call, an SMS message, a WAP alert or an SNMP alert.
  - 12. The system of claim 3, wherein the system processor outputs the information to a threat management center and to a second application layer security system, a threat pushback system or a combination thereof.
  - 13. The system of claim 3, wherein the one or more tests applied by the system processor comprise anomaly detection.
  - 14. The system of claim 3, wherein an application layer security system can broadcast a message to at least one other application layer security system.
  - 15. The system of claim 3, and further comprising a central threat management system, wherein the centralized threat management system coordinates threat information among multiple nodes.
  - 16. The system of claim 3, wherein each application layer security system is a trusted application layer security system.
  - 17. The system of claim 3, wherein the system processor outputs information comprising threat statistics.
  - 18. The system of claim 17, wherein the threat statistics include information about the frequency of certain threat types.
  - 19. The system of claim 3, wherein the system processor outputs information comprising information corresponding to a specific identified threat, one or more whitelists, traffic pattern data, or combinations thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Ciphertrust, Incorporated (McAfee, LLC)
Inventors
Judge, Paul
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
TO, BAOTRAN N

Application Number

US10/361,091
Publication Number

US 20030172292A1
Time in Patent Office

1,292 Days
Field of Search

713200-202, 713/188, 709222-225, 709/229, 726 22- 25
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 51/212   using filtering or selectiv...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Systems and methods for message threat management

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

750 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for message threat management

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

750 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links