Method and apparatus for detecting and responding to email based propagation of malicious software in a trusted network

US 7,636,944 B2
Filed: 10/28/2005
Issued: 12/22/2009
Est. Priority Date: 10/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting and responding to email based propagation of malicious software (malware) in a trusted network comprising:

providing a detector decoy email account to serve as generic bait for malicious software for a domain within the trusted network;

providing at least one email account for the domain within the trusted network as a detector probe account;

generating a policy based infection response rule when the detector decoy email account receives an email from the detector probe account within the trusted network, wherein said policy based infection response rule comprises automatically initiating said associated infection response, wherein said automatically initiated infection response utilizes an auditing action selected from the group of auditing actions including;

auditing each account receiving an email from the infected account prior to the infection response, tagging each said account receiving an email from the infected account as a potential threat, and auditing all emails that were sent from the infected account within a day from the time the malware was detected, for later root cause analysis.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide a method and an apparatus for detecting and responding to email based propagation of malicious software (malware) in a trusted network. One embodiment provides a detector decoy email account to serve as generic bait for malicious software for a domain within the trusted network. In addition, at least one email account for the domain within the trusted network is provided as a detector probe account. In so doing, when the detector decoy email account receives an email from the detector probe account within the trusted network a policy based infection response rule is generated.

53 Citations

View as Search Results

25 Claims

1. A method for detecting and responding to email based propagation of malicious software (malware) in a trusted network comprising:
- providing a detector decoy email account to serve as generic bait for malicious software for a domain within the trusted network;
  
  providing at least one email account for the domain within the trusted network as a detector probe account;
  
  generating a policy based infection response rule when the detector decoy email account receives an email from the detector probe account within the trusted network, wherein said policy based infection response rule comprises automatically initiating said associated infection response, wherein said automatically initiated infection response utilizes an auditing action selected from the group of auditing actions including;
  
  auditing each account receiving an email from the infected account prior to the infection response, tagging each said account receiving an email from the infected account as a potential threat, and auditing all emails that were sent from the infected account within a day from the time the malware was detected, for later root cause analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 further comprising:
    - providing every email account for the domain within the trusted network as a detector probe account.
  - 3. The method of claim 1 further comprising:
    - hardening said detector probe account to prevent accidental deletion or modification.
  - 4. The method of claim 3 wherein said hardening comprises:
    - providing a warning to a device within the trusted network when the detector decoy email account configuration is sought to be deleted or modified, and the action is denied.
  - 5. The method of claim 1 wherein said detector probe account configuration comprises:
    - providing an address for said detector decoy email account to the address book, contact list, inbox, and sent folders of said detector probe account within the trusted network.
  - 6. The method of claim 1 further comprising:
    - providing a different said detector decoy email account for every domain within the trusted network.
  - 7. The method of claim 1 wherein said automatically initiated infection response utilizes a blocking action selected from the group of blocking actions including:
    - isolating a system hosting the infected account from the trusted network, blocking the infected account from further email activity, and recalling all emails sent from the infected account prior to the infection response.
  - 8. The method of claim 1 wherein said automatically initiated infection response provides a notification action comprising:
    - sending an out-of-band action message to said infected account and any other potential threat account where reaction has been initiated.
  - 9. The method of claim 1 further comprising:
    - undoing the blocking action after the system hosting the infected account is disinfected.

10. A computer-implemented email based propagation of malicious software (malware) detector for a trusted network comprising:
- a detector email account provider for providing a detector email account for a domain within the trusted network;
  
  a detector probe account provider for setting each email account for a domain within the trusted network as a detector probe accounts by configuring the detector decoy email account to serve as generic bait for malicious software, said detector probe account hardened to prevent accidental deletion or modification;
  
  a policy based infection response rules generator for generating a policy based infection response when the decoy email account receives an email from the detector probe account within the trusted network, wherein said policy based infection response rules generator automatically initiates associated infection response, wherein said automatically initiated infection response is selected from the group of responses including;
  
  an account auditor for auditing each account receiving an email from the infected account prior to the infection response, an account tagger for tagging each said account receiving an email from the infected account as a potential threat, and an account auditor for auditing all emails that were sent from the infected account within a day from the time the malware was detected, for later root cause analysis.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computer-implemented email based malware detector of claim 10 wherein said detector probe email account provider configures the detector decoy email account address to the address book, contact list, inbox, and sent folders of every email account within the trusted network.
  - 12. The computer-implemented email based malware detector of claim 10 wherein said detector decoy email account provider provides a different said detector decoy email account for every domain within the trusted network.
  - 13. The computer-implemented email based malware detector of claim 10 wherein said hardened account provides a warning to a device within the trusted network when an attempt to delete or modify the detector decoy email account configuration occurs.
  - 14. The computer-implemented email based malware detector of claim 10 wherein said automatically initiated infection response is selected from the group of responses including:
    - a system isolator for isolating a system hosting the infected account from the trusted network, an account blocker for blocking the infected account from further activity, and an email account recaller for recalling all emails sent from the infected account prior to the infection response.
  - 15. The computer-implemented email based malware detector of claim 10 wherein said automatically initiated infection response is followed with notification action comprising:
    - a message generator for sending an out-of-band action message to said infected account and any other potential threat account where reaction has been initiated.
  - 16. The computer-implemented email based malware detector of claim 10 wherein after any blocking action is taken and a system hosting the infected account is disinfected, the blocking action is undone.

17. A computer-usable medium having computer-readable program code embodied therein for causing a method for detecting and responding to email based propagation of malicious software (malware) in a trusted network comprising:
- providing a detector decoy email account to serve as generic bait for malicious software for a domain within the trusted network;
  
  providing at least one email account for the domain within the trusted network as a detector probe account;
  
  generating a policy based infection response rule when the detector decoy email account receives an email from the detector probe account within the trusted network, wherein said policy based infection response rule comprises automatically initiating said associated infection response, wherein said automatically initiated infection response utilizes an auditing action selected from the group of auditing actions including;
  
  auditing each account receiving an email from the infected account prior to the infection response, tagging each said account receiving an email from the infected account as a potential threat, and auditing all emails that were sent from the infected account within a day from the time the malware was detected, for later root cause analysis.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The computer-usable medium of claim 17 further comprising:
    - providing every email account for the domain within the trusted network as a detector probe account.
  - 19. The computer-usable medium of claim 17 further comprising:
    - hardening said detector probe account to prevent accidental deletion or modification.
  - 20. The computer-usable medium of claim 19 wherein said hardening comprises:
    - providing a warning to a device within the trusted network when the detector decoy email account configuration is sought to be deleted or modified, and the action is denied.
  - 21. The computer-usable medium of claim 17 wherein said detector probe account configuration comprises:
    - providing an address for said detector decoy email account to the address book, contact list, inbox, and sent folders of said detector probe account within the trusted network.
  - 22. The computer-usable medium of claim 17 further comprising:
    - providing a different said detector decoy email account for every domain within the trusted network.
  - 23. The computer-usable medium of claim 17 wherein said automatically initiated infection response utilizes a blocking action selected from the group of blocking actions including:
    - isolating a system hosting the infected account from the trusted network, blocking the infected account from further email activity, and recalling all emails sent from the infected account prior to the infection response.
  - 24. The computer-usable medium of claim 17 wherein said automatically initiated infection response provides a notification action comprising:
    - sending an out-of-band action message to said infected account and any other potential threat account where reaction has been initiated.
  - 25. The computer-usable medium of claim 17 further comprising:
    - undoing the blocking action after the system hosting the infected account is disinfected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Raikar, Amit
Primary Examiner(s)
Song; Hosuk

Application Number

US11/262,436
Publication Number

US 20070101430A1
Time in Patent Office

1,516 Days
Field of Search

726 1- 3, 726 11- 14, 726 22- 25, 713150-154, 713187-188
US Class Current

726/22
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1491   using deception as counterm...

Method and apparatus for detecting and responding to email based propagation of malicious software in a trusted network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting and responding to email based propagation of malicious software in a trusted network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links