Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using Bayesian filtering

US 7,577,993 B2
Filed: 07/01/2005
Issued: 08/18/2009
Est. Priority Date: 07/01/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-assisted method of reducing spread of malware in an Instant Message (IM) system, comprising:

a) analyzing messages exchanged between an IM server and an IM client;

b) identifying one or more messages as possibly containing malware among the exchanged messages, at least one of the identified messages being a message sent to a virtual user having a virtual IM account, the virtual user automatically participating in a dialog with other users to elicit messages from malware operators;

c) assigning a confidence level to each identified message, wherein a confidence level represents a probability of a message containing malware;

d) training a Bayesian filter using the identified messages and the confidence levels;

e) adjusting the confidence levels using a Bayesian filter; and

f) iteratively applying steps a) through e) for identifying additional messages as possibly containing malware, for re-training the Bayesian filter using at least the identified additional messages, and for further adjusting the confidence levels using the Bayesian filter.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for reducing the spread of malware in communication between an instant message (IM) client and an IM server are described. An IM filter module (IM FM) is configured to analyze messages exchanged between an IM server and an IM client. The IM FM also identifies one or more messages as possibly containing malware among the exchanged messages and assigns a confidence level to each identified message. A confidence level represents a probability of a message containing malware. A Bayesian filter is configured to train itself using the identified messages and the confidence levels and adjust the confidence levels. A feedback training mechanism for the Bayesian filter is also included. In particular, the IM FM examines additional messages exchanged between the IM server and IM client, identifies one or more messages as possibly containing malware among the additional messages using the adjusted confidence values. The IM FM also assigns a confidence level to each additionally identified message. The Bayesian filter is further configured to re-train itself using the identified messages, the additionally identified messages, and the confidence levels and adjust the confidence levels.

Citations

35 Claims

1. A computer-assisted method of reducing spread of malware in an Instant Message (IM) system, comprising:
- a) analyzing messages exchanged between an IM server and an IM client;
  
  b) identifying one or more messages as possibly containing malware among the exchanged messages, at least one of the identified messages being a message sent to a virtual user having a virtual IM account, the virtual user automatically participating in a dialog with other users to elicit messages from malware operators;
  
  c) assigning a confidence level to each identified message, wherein a confidence level represents a probability of a message containing malware;
  
  d) training a Bayesian filter using the identified messages and the confidence levels;
  
  e) adjusting the confidence levels using a Bayesian filter; and
  
  f) iteratively applying steps a) through e) for identifying additional messages as possibly containing malware, for re-training the Bayesian filter using at least the identified additional messages, and for further adjusting the confidence levels using the Bayesian filter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein identifying additional messages further comprises:
    - identifying a certain number of messages as containing malware if the certain number of messages contains an identical content as determined using the confidence levels adjusted by the Bayesian filter.
  - 3. The method of claim 1, wherein identifying additional messages further comprises:
    - identifying two or more messages sent by the IM client as containing malware if the two or more messages are sent at too short of an interval to be sent by a person as determined using the confidence levels adjusted by the Bayesian filter.
  - 4. The method of claim 1, wherein identifying additional messages further comprises:
    - identifying messages sent by the IM client as containing malware if the IM client sends a large number of messages after receiving one message from the IM server as determined using the confidence levels adjusted by the Bayesian filter.
  - 5. The method of claim 1, wherein identifying additional messages further comprises:
    - identifying a message as containing malware when a content of the message is longer than an average content by a statistically significant amount as determined using the confidence levels adjusted by the Bayesian filter.
  - 6. The method of claim 1, wherein identifying additional messages further comprises:
    - resolving a URL contained in a message sent from the IM server to the IM client; and
      
      identifying the message as possibly containing malware when the URL resolves to a URL that is similar to a known source of malware as determined using the confidence levels adjusted by the Bayesian filter.
  - 7. The method of claim 1, wherein identifying additional messages further comprises:
    - parsing a content of a message into individual words; and
      
      identifying the message as possibly containing malware when the average length is longer than an average length of words in the messages by a significant statistical amount as determined using the confidence levels adjusted by the Bayesian filter.
  - 8. The method of claim 1, further comprising:
    - automatically registering virtual account names for each of a plurality of virtual users; and
      
      generating fictitious personal descriptions for each of the registered virtual users, the descriptions tailored to entice malware operators to communicate with the registered virtual users.
  - 9. The method of claim 8, further comprising:
    - setting a number of registered virtual users to be statistically significant for trapping malware messages.
  - 10. The method of claim 1, further comprising:
    - storing, into a database, unique identifiers of the messages identified as containing malware; and
      
      blocking any message that is sent by a user of the IM server having an identical or similar unique identifier with any unique identifiers stored in the database as sources of malware.
  - 11. The method of claim 1, further comprising:
    - storing, into a database, contents of the messages identified as containing malware; and
      
      blocking any message that contains an identical or similar content with contents of messages stored in the database as sent by sources of malware.
  - 12. The method of claim 1, further comprising:
    - performing logon steps for a plurality of virtual users; and
      
      accepting, for the logged-on virtual users, invitations to join buddy lists.
  - 13. The method of claim 1, wherein iteratively applying steps a) through e) further comprises:
    - examining additional messages exchanged between the IM server and IM client;
      
      identifying one or more messages as possibly containing malware among the additional messages using the adjusted confidence values;
      
      assigning a confidence level to each additionally identified message;
      
      re-training the Bayesian filter using the identified messages, the additionally identified messages, and the confidence levels;
      
      adjusting the confidence levels using the Bayesian filter; and
      
      repeating each of the above steps after a certain interval of time or after receiving a notification that the assigning step has been completed.

14. A computer-assisted system of reducing spread of malware in an instant message (IM) system, comprising:
- a) an IM filter module configured to analyze messages exchanged between an IM server and an IM client to identify one or more messages as possibly containing malware among the exchanged messages, at least one of the identified messages being a message sent to a virtual user having a virtual IM account, the virtual user automatically participating in a dialog with other users to elicit messages from malware operators, and to assign a confidence level to each identified message, wherein a confidence level represents a probability of a message containing malware;
  
  b) a Bayesian filter configured to train itself using the identified messages and the confidence levels, and to adjust the confidence levels;
  
  c) the IM filter module further configured to identify additional messages as possibly containing malware; and
  
  d) the Bayesian filter further configured to re-train itself using at least the identified additional messages and to further adjust the confidence levels.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The system of claim 14, wherein the IM filter module is further configured to identify a certain number of messages as containing malware if the certain number of messages contains an identical content as determined using the confidence levels adjusted by the Bayesian filter.
  - 16. The system of claim 14, wherein the IM filter module is further configured to identify two or more messages sent by the IM client as containing malware if the two or more messages are sent at too short of an interval to be sent by a person as determined using the confidence levels adjusted by the Bayesian filter.
  - 17. The system of claim 14, wherein the IM filter module is further configured to identify messages sent by the IM client as containing malware if the IM client sends a large number of messages after receiving one message from the IM server as determined using the confidence levels adjusted by the Bayesian filter.
  - 18. The system of claim 14, wherein the IM filter module is further configured to identify a message as containing malware when a content of the message is longer than an average content by a statistically significant amount as determined using the confidence levels adjusted by the Bayesian filter.
  - 19. The system of claim 14, wherein the IM filter module is further configured to resolve a URL contained in a message sent from the IM server to the IM client, and identify the message as possibly containing malware when the URL resolves to a URL that is similar to a known source of malware as determined using the confidence levels adjusted by the Bayesian filter.
  - 20. The system of claim 14, wherein the IM filter module is further configured to parse a content of a message into individual words, and identify the message as possibly containing malware when the average length is longer than an average length of words in the messages by a significant statistical amount as determined using the confidence levels adjusted by the Bayesian filter.
  - 21. The system of claim 14, wherein the IM filter module is further configured to:
    - connect a plurality of virtual users in a chat room; and
      
      automatically participate in dialogs, for the plurality of virtual users, with other users.
  - 22. The system of claim 21, wherein the IM filter module is further configured to participate in dialogs by using whole expression matching or parameterized regular expression matching to send responses to received messages.
  - 23. The system of claim 14, further comprising:
    - a database configured to store unique identifiers of the messages identified as containing malware; and
      
      the IM filter module is further configured to block any message that contains an identical or similar unique identifier with any of the unique identifier stored in the database.

24. A computer program product comprising a computer-readable medium storing computer instructions for configuring a computer to perform steps comprising:
- a) analyzing messages exchanged between an IM server and an IM client;
  
  b) identifying one or more messages as possibly containing malware among the exchanged messages, at least one of the identified messages being a message sent to a virtual user having a virtual IM account, the virtual user automatically participating in a dialog with other users to elicit messages from malware operators;
  
  c) assigning a confidence level to each identified message, wherein a confidence level represents a probability of a message containing malware;
  
  d) training a Bayesian filter using the identified messages and the confidence levels;
  
  e) adjusting the confidence levels using a Bayesian filter; and
  
  f) iteratively applying steps a) through e) for identifying additional messages as possibly containing malware, for re-training the Bayesian filter using at least the identified additional messages, and for further adjusting the confidence levels using the Bayesian filter.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 25. The product of claim 24, wherein the instructions for identifying additional messages further comprise instructions for:
    - identifying a certain number of messages as containing malware if the certain number of messages contains an identical content as determined using the confidence levels adjusted by the Bayesian filter.
  - 26. The product of claim 24, wherein the instructions for identifying additional messages further comprise instructions for:
    - identifying two or more messages sent by the IM client as containing malware if the two or more messages are sent at too short of an interval to be sent by a person as determined using the confidence levels adjusted by the Bayesian filter.
  - 27. The product of claim 24, wherein the instructions for identifying additional messages further comprise instructions for:
    - identifying messages sent by the IM client as containing malware if the IM client sends a large number of messages after receiving one message from the IM server as determined using the confidence levels adjusted by the Bayesian filter.
  - 28. The product of claim 24, wherein the instructions for identifying additional messages further comprise instructions for:
    - identifying a message as containing malware when a content of the message is longer than an average content by a statistically significant amount as determined using the confidence levels adjusted by the Bayesian filter.
  - 29. The product of claim 24, wherein the instructions for identifying additional messages further comprise instructions for:
    - resolving a URL contained in a message sent from the IM server to the IM client; and
      
      identifying the message as possibly containing malware when the URL resolves to a URL that is similar to a known source of malware as determined using the confidence levels adjusted by the Bayesian filter.
  - 30. The product of claim 24, wherein the instructions for identifying additional messages further comprise instructions for:
    - parsing a content of a message into individual words; and
      
      identifying the message as possibly containing malware when the average length is longer than an average length of words in the messages by a significant statistical amount as determined using the confidence levels adjusted by the Bayesian filter.
  - 31. The product of claim 24, further comprising instructions for:
    - adding fictitious buddies to a buddy list of the IM client;
      
      determining that the IM client has sent a message to one of the fictitious buddies; and
      
      detecting that the IM client is infected with malware in response to the determination.
  - 32. The product of claim 24, further comprising instructions for:
    - storing, into a database, unique identifiers of the messages identified as containing malware andblocking any message that is sent by a user of the IM server having an identical or similar unique identifier with any unique identifiers stored in the database as sources of malware.
  - 33. The product of claim 24, further comprising instructions for:
    - periodically sending messages to a user of the IM client using account names of fictitious buddies for eliciting malware responses.
  - 34. The product of claim 24, farther comprising instructions for:
    - storing, into a database, contents of the messages identified as containing malware andblocking any message that contains an identical or similar content with contents of messages stored in the database as sent by sources of malware.
  - 35. The product of claim 24, wherein iteratively applying steps a) through e) further comprises:
    - examining additional messages exchanged between the IM server and IM client;
      
      identifying one or more messages as possibly containing malware among the additional messages using the adjusted confidence values;
      
      assigning a confidence level to each additionally identified message;
      
      re-training the Bayesian filter using the identified messages, the additionally identified messages, and the confidence levels;
      
      adjusting the confidence levels using the Bayesian filter; and
      
      repeating each of the above steps.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Shah, Milan, Lorenzo, Eric Lyle, Roychowdhary, Anandamoy, Gilliland, Arthur William, Desouza, Francis Aurelio, Sakoda, Jon
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
ALMEIDA, DEVIN E

Application Number

US11/171,249
Publication Number

US 20070006026A1
Time in Patent Office

1,509 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

H04L 51/04   Real-time or near real-time...

H04L 51/212   using filtering or selectiv...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1425   Traffic logging, e.g. anoma...

Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using Bayesian filtering

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by using Bayesian filtering

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links