Proactive protection against e-mail worms and spam

US 7,373,664 B2
Filed: 12/16/2002
Issued: 05/13/2008
Est. Priority Date: 12/16/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting the presence of malicious computer code in a plurality of e-mails, said method comprising, for each e-mail, the steps of:

calculating a feature vector, said feature vector being representative of a presence of a plurality of preselected features in the e-mail, wherein a feature bin table is updated with an entry for each preselected feature and wherein at least one preselected feature is based on a file attached to the e-mail and at least one preselected feature is based on a script associated with the email;

calculating at least one decaying weighted score based upon said feature vector, wherein each said score is calculated based on a number of entries in the feature bin table within a current time window, an application of a first decay function to a value which indicates a number of deleted entries in the feature bin table and an application of a second decay function to at least a first previously calculated at least one score based upon said feature vector;

determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and

when a score exceeds a preselected malicious threshold, blocking said e-mail.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparati, and computer-readable media for detecting the presence of malicious computer code in a plurality of e-mails. In a method embodiment of the present invention, the following steps are performed for each e-mail: calculating a feature vector (80), said feature vector (80) being representative of a presence of at least one preselected feature in the e-mail; calculating at least one score (S) based upon said feature vector (80), each said score (S) being representative of a frequency of occurrence of an instance of a feature; determining whether any score (S) exceeds a preselected malicious threshold representative of malicious computer code; and when a score (S) exceeds a preselected malicious threshold, blocking said e-mail.

106 Citations

View as Search Results

24 Claims

1. A method for detecting the presence of malicious computer code in a plurality of e-mails, said method comprising, for each e-mail, the steps of:
- calculating a feature vector, said feature vector being representative of a presence of a plurality of preselected features in the e-mail, wherein a feature bin table is updated with an entry for each preselected feature and wherein at least one preselected feature is based on a file attached to the e-mail and at least one preselected feature is based on a script associated with the email;
  
  calculating at least one decaying weighted score based upon said feature vector, wherein each said score is calculated based on a number of entries in the feature bin table within a current time window, an application of a first decay function to a value which indicates a number of deleted entries in the feature bin table and an application of a second decay function to at least a first previously calculated at least one score based upon said feature vector;
  
  determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and
  
  when a score exceeds a preselected malicious threshold, blocking said e-mail.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1 wherein a feature vector is not calculated when the e-mail is deemed to be harmless according to preselected criteria.
  - 3. The method of claim 2 wherein said preselected criteria include criteria from the group comprising:
    - the e-mail has no attachments; and
      
      the e-mail contains no script.
  - 4. The method of claim 1 further comprising, prior to executing the first calculating step, the step of placing the e-mail into a delay queue for a preselected time X while the method steps of claim 1 are performed.
  - 5. The method of claim 4 further comprising the steps of:
    - determining whether the score S crosses a preselected suspicion threshold; and
      
      when S crosses the preselected suspicion threshold, adjusting X.
  - 6. The method of claim 5 wherein X is adjusted for all e-mails having the feature instance corresponding to S.
  - 7. The method of claim 5 wherein X is increased when the suspicion threshold is crossed in a positive direction.
  - 8. The method of claim 5 wherein X is decreased when the suspicion threshold is crossed in a negative direction.
  - 9. The method of claim 4 further comprising, when the score is greater than the malicious threshold, removing from the delay queue all e-mails having a feature instance corresponding to the feature instance having the score that exceeded the malicious threshold.
  - 10. The method of claim 1 wherein the feature vector comprises at least one entry, said method further comprising the steps of:
    - comparing each entry in the feature vector with entries in a pre-established blocked feature instance library; and
      
      when an entry in the feature vector matches an entry in the blocked feature instance library, blocking said e-mail.
  - 11. The method of claim 10 further comprising the step of removing false positives from the blocked feature instance library.
  - 12. The method of claim 1 further comprising the step of updating, for each e-mail, the feature bin table, said updating comprising augmenting the feature bin table with one entry for each instance of each feature.
  - 13. The method of claim 12 wherein each score S has three components:
    - a first component representative of the number of entries in the feature bin table within the current time window Q;
      
      a decaying weighted value R representing the entries recently deleted from the feature bin table; and
      
      a memory decaying weighted value P taking into account all of the previously calculated scores S for that feature instance.
  - 14. The method of claim 13 wherein S is calculated using an algorithm containing parameters that are determined empirically.
  - 15. The method of claim 12 wherein each feature bin table entry comprises an identifier of the e-mail and a time stamp.
  - 16. The method of claim 12 farther comprising the step of determining whether a current time of arrival of the e-mail exceeds a time of a first entry in the feature bin table for that feature instance by more than a preselected sample time Q, and when the current time so exceeds said time of first entry, placing all feature bin table entries for that feature instance whose times are older than the current time by more than Q into a recently removed entry storage area.
  - 17. The method of claim 1 wherein each score is recalculated whenever a feature vector is calculated.
  - 18. The method of claim 1 wherein the blocking step comprises at least one of the following:
    - alerting a system administrator;
      
      deleting the e-mail;
      
      quarantining the e-mail; and
      
      analyzing the e-mail.
  - 19. The method of claim 1 farther comprising the step of updating a virus signature library when a score exceeds the preestablished malicious threshold.
  - 20. The method of claim 1 wherein said plurality of e-mails seek to enter an enterprise from outside the enterprise.
  - 21. The method of claim 1 wherein said plurality of e-mails seek to exit an enterprise en route to locations outside the enterprise.
  - 22. The method of claim 1 wherein at least one preselected feature is a feature from the following group of features:
    - contents of a subject line of the e-mail;
      
      an e-mail attachment;
      
      a hash of an e-mail attachment;
      
      a name of an e-mail attachment;
      
      a size of an e-mail attachment;
      
      a hash of an e-mail body;
      
      parsed script within the e-mail body;
      
      a hash of parsed script within the e-mail body;
      
      parsed script within an e-mail attachment;
      
      a hash of parsed script within an e-mail attachment.

23. A computer-readable storage medium containing computer program instructions for detecting the presence of malicious computer code in a plurality of e-mails, said computer program instructions performing, for each e-mail, the steps of:
- calculating a feature vector, said feature vector being representative of a presence of a plurality of preselected features in the e-mail, wherein a feature bin table is updated with an entry for each preselected feature and at least one preselected feature is based an a script associated with the email;
  
  calculating at least one decaying weighted score based upon said feature vector, wherein each said score is calculated based an a number of entries in the feature bin table within a current time window, an application of a first decay function to a value which indicates a number of deleted entries in the feature bin table, and an application of a second decay function to at least a first previously calculated at least one score based upon said feature vector;
  
  determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and
  
  when a score exceeds a preselected malicious threshold, blocking said e-mail.

24. Apparatus for detecting the presence of malicious computer code in a plurality of e-mails, the apparatus comprising:
- a processor configured to execute a method, said method comprising;
  
  calculating a feature vector for each e-mail, said feature vector being representative of a presence of a plurality of preselected features in the e-mail, wherein a feature bin table is updated with an entry for each preselected feature and at least one preselected feature is based an a script associated with the email;
  
  calculating for each e-mail at least one decaying weighted score based upon said feature vector, wherein each said score is calculated based on a number of entries in the feature bin table within a current time window, an application of a first decay function to a value which indicates a number of deleted entries in the feature bin table, and an application of a second decay function to at least a first previously calculated at least one score based upon said feature vector;
  
  determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and
  
  blocking said e-mail when a score exceeds a preselected malicious threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kissel, Timo S.
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
PATEL, NIRAV B

Application Number

US10/321,079
Publication Number

US 20040117648A1
Time in Patent Office

1,975 Days
Field of Search

713/188, 713/168, 713/153, 713/154, 726 11- 13, 726 22- 25, 709/206, 709/207, 709223-225, 709/203, 704/100, 704/25, 704/26, 706/20, 706/47, 706/15, 706/25, 702/182, 702/193, 702/194, 702/192, 714/100, 714/25, 714/26
US Class Current

726/22
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

Proactive protection against e-mail worms and spam

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Proactive protection against e-mail worms and spam

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links