Proactive protection against e-mail worms and spam
First Claim
1. A method for detecting the presence of malicious computer code in a plurality of e-mails, said method comprising, for each e-mail, the steps of:
- calculating a feature vector, said feature vector being representative of a presence of a plurality of preselected features in the e-mail, wherein a feature bin table is updated with an entry for each preselected feature and wherein at least one preselected feature is based on a file attached to the e-mail and at least one preselected feature is based on a script associated with the email;
calculating at least one decaying weighted score based upon said feature vector, wherein each said score is calculated based on a number of entries in the feature bin table within a current time window, an application of a first decay function to a value which indicates a number of deleted entries in the feature bin table and an application of a second decay function to at least a first previously calculated at least one score based upon said feature vector;
determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and
when a score exceeds a preselected malicious threshold, blocking said e-mail.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparati, and computer-readable media for detecting the presence of malicious computer code in a plurality of e-mails. In a method embodiment of the present invention, the following steps are performed for each e-mail: calculating a feature vector (80), said feature vector (80) being representative of a presence of at least one preselected feature in the e-mail; calculating at least one score (S) based upon said feature vector (80), each said score (S) being representative of a frequency of occurrence of an instance of a feature; determining whether any score (S) exceeds a preselected malicious threshold representative of malicious computer code; and when a score (S) exceeds a preselected malicious threshold, blocking said e-mail.
106 Citations
24 Claims
-
1. A method for detecting the presence of malicious computer code in a plurality of e-mails, said method comprising, for each e-mail, the steps of:
-
calculating a feature vector, said feature vector being representative of a presence of a plurality of preselected features in the e-mail, wherein a feature bin table is updated with an entry for each preselected feature and wherein at least one preselected feature is based on a file attached to the e-mail and at least one preselected feature is based on a script associated with the email; calculating at least one decaying weighted score based upon said feature vector, wherein each said score is calculated based on a number of entries in the feature bin table within a current time window, an application of a first decay function to a value which indicates a number of deleted entries in the feature bin table and an application of a second decay function to at least a first previously calculated at least one score based upon said feature vector; determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and when a score exceeds a preselected malicious threshold, blocking said e-mail. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer-readable storage medium containing computer program instructions for detecting the presence of malicious computer code in a plurality of e-mails, said computer program instructions performing, for each e-mail, the steps of:
-
calculating a feature vector, said feature vector being representative of a presence of a plurality of preselected features in the e-mail, wherein a feature bin table is updated with an entry for each preselected feature and at least one preselected feature is based an a script associated with the email; calculating at least one decaying weighted score based upon said feature vector, wherein each said score is calculated based an a number of entries in the feature bin table within a current time window, an application of a first decay function to a value which indicates a number of deleted entries in the feature bin table, and an application of a second decay function to at least a first previously calculated at least one score based upon said feature vector; determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and when a score exceeds a preselected malicious threshold, blocking said e-mail.
-
-
24. Apparatus for detecting the presence of malicious computer code in a plurality of e-mails, the apparatus comprising:
a processor configured to execute a method, said method comprising; calculating a feature vector for each e-mail, said feature vector being representative of a presence of a plurality of preselected features in the e-mail, wherein a feature bin table is updated with an entry for each preselected feature and at least one preselected feature is based an a script associated with the email; calculating for each e-mail at least one decaying weighted score based upon said feature vector, wherein each said score is calculated based on a number of entries in the feature bin table within a current time window, an application of a first decay function to a value which indicates a number of deleted entries in the feature bin table, and an application of a second decay function to at least a first previously calculated at least one score based upon said feature vector; determining whether any score exceeds a preselected malicious threshold representative of malicious computer code; and blocking said e-mail when a score exceeds a preselected malicious threshold.
Specification