Methods and systems for detecting and preventing the spread of malware on instant messaging (IM) networks by analyzing message traffic patterns
First Claim
Patent Images
1. A computer-assisted method of reducing the spread of malware in an instant message (IM) system, comprising:
- using a computer configured to execute method steps comprising;
examining incoming messages from an IM server to an IM client;
examining outgoing messages from the IM client to the IM server;
analyzing a relationship among the incoming and outgoing messages;
generating a plurality of virtual users with virtual IM accounts containing fictitious information, the fictitious information tailored to entice malware operators to communicate with the virtual users;
sending one or more messages to the IM client via the virtual IM accounts to elicit return messages from a particular type of malware operator, the particular type being one that observes whether IM accounts are passive or active and sends return messages only to active IM accounts that have previously sent messages;
comparing the incoming and outgoing messages with a database of information stored about likely malware messages that were sent to virtual users, the information about a likely malware message stored in the database including a confidence level indicating the likelihood of the message being a malware message; and
determining whether one or more messages contain malware based on the analysis of the relationship among the incoming and outgoing messages and based on the comparison with the database of information stored about likely malware messages that were sent to virtual users.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for reducing the spread of malware in communication between an instant message (IM) client and an IM server are described. An IM filter module (IM FM) is configured to examine incoming messages from an IM server to an IM client and outgoing messages from the IM client to the IM server. The IM filter module is further configured to analyze relationship among the incoming and outgoing messages and determine whether one or more messages contain malware based on the analysis of relationship among the incoming and outgoing messages.
-
Citations
37 Claims
-
1. A computer-assisted method of reducing the spread of malware in an instant message (IM) system, comprising:
using a computer configured to execute method steps comprising; examining incoming messages from an IM server to an IM client; examining outgoing messages from the IM client to the IM server; analyzing a relationship among the incoming and outgoing messages; generating a plurality of virtual users with virtual IM accounts containing fictitious information, the fictitious information tailored to entice malware operators to communicate with the virtual users; sending one or more messages to the IM client via the virtual IM accounts to elicit return messages from a particular type of malware operator, the particular type being one that observes whether IM accounts are passive or active and sends return messages only to active IM accounts that have previously sent messages; comparing the incoming and outgoing messages with a database of information stored about likely malware messages that were sent to virtual users, the information about a likely malware message stored in the database including a confidence level indicating the likelihood of the message being a malware message; and determining whether one or more messages contain malware based on the analysis of the relationship among the incoming and outgoing messages and based on the comparison with the database of information stored about likely malware messages that were sent to virtual users. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
17. A computer-assisted system of reducing the spread of malware in an instant message (IM) system, comprising:
a non-transitory computer-readable storage medium storing executable software modules comprising; an IM filter module configured to examine incoming messages from an IM server to an IM client and outgoing messages from the IM client to the IM server; the IM filter module is further configured to; generate a plurality of virtual users with virtual IM accounts containing fictitious information, the fictitious information tailored to entice malware operators to communicate with the virtual users; analyze a relationship among the incoming and outgoing messages; sending one or more messages to the IM client via the virtual IM accounts to elicit return messages from a particular type of malware operator, the particular type being one that observes whether IM accounts are passive or active and sends return messages only to active IM accounts that have previously sent messages; compare the incoming and outgoing messages with a database of information stored about likely malware messages that were sent to virtual users, the information about a likely malware message stored in the database including a confidence level indicating the likelihood of the message being a malware message; and determine whether one or more messages contain malware based on the analysis of the relationship among the incoming and outgoing messages and based on the comparison with the database of information stored about likely malware messages that were sent to virtual users; and a computer configured to execute the software modules stored by the computer-readable storage medium. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
25. A non-transitory computer-readable storage medium storing executable computer program instructions for reducing the spread of malware in an instant message (IM) system, the computer program instructions comprising computer instructions for configuring a computer to perform the acts of:
-
examining incoming messages from an IM server to an IM client; examining outgoing messages from the IM client to the IM server; analyzing a relationship among the incoming and outgoing messages; generating a plurality of virtual users with virtual IM accounts containing fictitious information, the fictitious information tailored to entice malware operators to communicate with the virtual users; sending one or more messages to the IM client via the virtual IM accounts to elicit return messages from a particular type of malware operator, the particular type being one that observes whether IM accounts are passive or active and sends return messages only to active IM accounts that have previously sent messages; comparing the incoming and outgoing messages with a database of information stored about likely malware messages that were sent to virtual users, the information about a likely malware message stored in the database including a confidence level indicating the likelihood of the message being a malware message; and determining whether one or more messages contain malware based on the analysis of the relationship among the incoming and outgoing messages and based on the comparison with the database of information stored about likely malware messages that were sent to virtual users. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
Specification