Method and apparatus for detecting and responding to email based propagation of malicious software in a trusted network
First Claim
1. A method for detecting and responding to email based propagation of malicious software (malware) in a trusted network comprising:
- providing a detector decoy email account to serve as generic bait for malicious software for a domain within the trusted network;
providing at least one email account for the domain within the trusted network as a detector probe account;
generating a policy based infection response rule when the detector decoy email account receives an email from the detector probe account within the trusted network, wherein said policy based infection response rule comprises automatically initiating said associated infection response, wherein said automatically initiated infection response utilizes an auditing action selected from the group of auditing actions including;
auditing each account receiving an email from the infected account prior to the infection response, tagging each said account receiving an email from the infected account as a potential threat, and auditing all emails that were sent from the infected account within a day from the time the malware was detected, for later root cause analysis.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention provide a method and an apparatus for detecting and responding to email based propagation of malicious software (malware) in a trusted network. One embodiment provides a detector decoy email account to serve as generic bait for malicious software for a domain within the trusted network. In addition, at least one email account for the domain within the trusted network is provided as a detector probe account. In so doing, when the detector decoy email account receives an email from the detector probe account within the trusted network a policy based infection response rule is generated.
53 Citations
25 Claims
-
1. A method for detecting and responding to email based propagation of malicious software (malware) in a trusted network comprising:
-
providing a detector decoy email account to serve as generic bait for malicious software for a domain within the trusted network; providing at least one email account for the domain within the trusted network as a detector probe account; generating a policy based infection response rule when the detector decoy email account receives an email from the detector probe account within the trusted network, wherein said policy based infection response rule comprises automatically initiating said associated infection response, wherein said automatically initiated infection response utilizes an auditing action selected from the group of auditing actions including;
auditing each account receiving an email from the infected account prior to the infection response, tagging each said account receiving an email from the infected account as a potential threat, and auditing all emails that were sent from the infected account within a day from the time the malware was detected, for later root cause analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented email based propagation of malicious software (malware) detector for a trusted network comprising:
-
a detector email account provider for providing a detector email account for a domain within the trusted network; a detector probe account provider for setting each email account for a domain within the trusted network as a detector probe accounts by configuring the detector decoy email account to serve as generic bait for malicious software, said detector probe account hardened to prevent accidental deletion or modification; a policy based infection response rules generator for generating a policy based infection response when the decoy email account receives an email from the detector probe account within the trusted network, wherein said policy based infection response rules generator automatically initiates associated infection response, wherein said automatically initiated infection response is selected from the group of responses including;
an account auditor for auditing each account receiving an email from the infected account prior to the infection response, an account tagger for tagging each said account receiving an email from the infected account as a potential threat, and an account auditor for auditing all emails that were sent from the infected account within a day from the time the malware was detected, for later root cause analysis. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computer-usable medium having computer-readable program code embodied therein for causing a method for detecting and responding to email based propagation of malicious software (malware) in a trusted network comprising:
-
providing a detector decoy email account to serve as generic bait for malicious software for a domain within the trusted network; providing at least one email account for the domain within the trusted network as a detector probe account; generating a policy based infection response rule when the detector decoy email account receives an email from the detector probe account within the trusted network, wherein said policy based infection response rule comprises automatically initiating said associated infection response, wherein said automatically initiated infection response utilizes an auditing action selected from the group of auditing actions including;
auditing each account receiving an email from the infected account prior to the infection response, tagging each said account receiving an email from the infected account as a potential threat, and auditing all emails that were sent from the infected account within a day from the time the malware was detected, for later root cause analysis. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
-
Specification