Identifying threats in electronic messages

US 7,854,007 B2
Filed: 05/05/2006
Issued: 12/14/2010
Est. Priority Date: 05/05/2005
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a network interface;

one or more processors coupled to the network interface;

logic coupled to the one or more processors which, when executed by the one or more processors, causes the one or more processors to perform;

receiving an electronic mail message having a destination address for a recipient account;

determining a virus score value for the message based upon a plurality of rules that specify attributes of messages that are known to contain computer viruses;

wherein each rule has a weight proportional to a number of attributes specified in the rule;

wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures;

wherein the virus score value is determined as a first sum of products of each of score values returned by the plurality of rules multiplied by a weight associated with a corresponding rule from the plurality of rules and dividing the first sum by a second sum of the weights associated with the plurality of rules;

when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Early detection of computer viruses and other message-borne threats is provided by applying heuristic tests to message content and examining sender reputation information when no virus signature information is available. As a result, a messaging gateway can suspend delivery of messages early in a virus outbreak, providing sufficient time for updating an anti-virus checker that can strip virus code from the messages. A dynamic and flexible threat quarantine queue is provided with a variety of exit criteria and exit actions that permits early release of messages in other than first in, first-out order. A message scanning method is described in which early exit from parsing and scanning can occur by matching threat rules only to selected message elements and stopping rule matching as soon as a match on one message element exceeds a threat threshold.

360 Citations

23 Claims

1. An apparatus, comprising:
- a network interface;
  
  one or more processors coupled to the network interface;
  
  logic coupled to the one or more processors which, when executed by the one or more processors, causes the one or more processors to perform;
  
  receiving an electronic mail message having a destination address for a recipient account;
  
  determining a virus score value for the message based upon a plurality of rules that specify attributes of messages that are known to contain computer viruses;
  
  wherein each rule has a weight proportional to a number of attributes specified in the rule;
  
  wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures;
  
  wherein the virus score value is determined as a first sum of products of each of score values returned by the plurality of rules multiplied by a weight associated with a corresponding rule from the plurality of rules and dividing the first sum by a second sum of the weights associated with the plurality of rules;
  
  when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1, wherein the attributes comprise a type of content of the attachment.
  - 3. The apparatus of claim 1, wherein the attributes comprise an identification of a sender of the message.
  - 4. The apparatus of claim 1, wherein the heuristics comprise matching content of a body of the message to a dictionary of words that have been commonly used in the bodies of other messages that have carried viruses.
  - 5. The apparatus of claim 1, wherein the heuristics comprise matching content of a subject of the message to a dictionary of words that have been commonly used in the subject lines of other messages that have carried viruses.
  - 6. The apparatus of claim 1, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      retrieving a reputation score value associated with the sender identifier;
      
      determining the virus score value based at least in part on the reputation score value.
  - 7. The apparatus of claim 1, wherein the heuristics comprise matching bytes of a file attachment of the message to a rule, from the plurality of rules, that uniquely identifies initial bytes of executable files.
  - 8. The apparatus of claim 1, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      determining whether the sender identifier is in a locally stored blacklist of senders;
      
      determining the virus score value based at least in part on whether the sender identifier is in the blacklist.
  - 9. The apparatus of claim 1, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      requesting, over a network, an external service to determine whether the sender identifier is in a stored blacklist of senders, and receiving a response from the external service;
      
      determining the virus score value based at least in part on the response.

10. A method, comprising:
- receiving an electronic mail message having a destination address for a recipient account;
  
  determining a virus score value for the message based upon a plurality of rules that specify attributes of messages that are known to contain computer viruses;
  
  wherein each rule has a weight proportional to a number of attributes specified in the rule;
  
  wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures;
  
  wherein the virus score value is determined as a first sum of products of each of score values returned by the plurality of rules multiplied by a weight associated with a corresponding rule from the plurality of rules and dividing the first sum by a second sum of the weights associated with the plurality of rules;
  
  when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account;
  
  wherein the method is performed by one or more processors.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein the attributes comprise a type of content of the attachment.
  - 12. The method of claim 10, wherein the attributes comprise an identification of a sender of the message.
  - 13. The method of claim 10, wherein the heuristics comprise matching content of a body of the message to a dictionary of words that have been commonly used in the bodies of other messages that have carried viruses.
  - 14. The method of claim 10, wherein the heuristics comprise matching content of a subject of the message to a dictionary of words that have been commonly used in the subject lines of other messages that have carried viruses.
  - 15. The method of claim 10, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      retrieving a reputation score value associated with the sender identifier;
      
      determining the virus score value based at least in part on the reputation score value.
  - 16. The method of claim 10, wherein the heuristics comprise matching bytes of a file attachment of the message to a rule, from the plurality of rules, that uniquely identifies initial bytes of executable files.
  - 17. The method of claim 10, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      determining whether the sender identifier is in a locally stored blacklist of senders;
      
      determining the virus score value based at least in part on whether the sender identifier is in the blacklist.
  - 18. The method of claim 10, wherein the heuristics comprise:
    - extracting a sender identifier from the message;
      
      requesting, over a network, an external service to determine whether the sender identifier is in a stored blacklist of senders, and receiving a response from the external service;
      
      determining the virus score value based at least in part on the response.

19. A non-transitory computer readable storage medium, storing one or more sequences of instructions, which, when executed by one or more processors, cause the one or more processors to perform:
- receiving an electronic mail message having a destination address for a recipient account;
  
  determining a virus score value for the message based upon a plurality of rules that specify attributes of messages that are known to contain computer viruses;
  
  wherein each rule has a weight proportional to a number of attributes specified in the rule;
  
  wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures;
  
  wherein the virus score value is determined as a first sum of products of each of score values returned by the plurality of rules multiplied by a weight associated with a corresponding rule from the plurality of rules and dividing the first sum by a second sum of the weights associated with the plurality of rules;
  
  when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The computer-readable storage medium of claim 19, wherein the attributes comprise a type of content of the attachment.
  - 21. The computer-readable storage medium of claim 19, wherein the attributes comprise an identification of a sender of the message.
  - 22. The computer-readable storage medium of claim 19, wherein the heuristics comprise matching content of a body of the message to a dictionary of words that have been commonly used in the bodies of other messages that have carried viruses.
  - 23. The computer-readable storage medium of claim 19, wherein the heuristics comprise matching content of a subject of the message to a dictionary of words that have been commonly used in the subject lines of other messages that have carried viruses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ironport Systems (Cisco Systems, Inc.)
Original Assignee
Ironport Systems (Cisco Systems, Inc.)
Inventors
Sprosts, Craig, Quinlan, Daniel, Slater, Charles, Kennedy, Scot, Rosenstein, Larry
Primary Examiner(s)
Lanier; Benjamin E

Application Number

US11/418,812
Publication Number

US 20070079379A1
Time in Patent Office

1,684 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 51/234   for tracking messages

H04L 61/4511   using domain name system [DNS]

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/145   the attack involving the pr...

Identifying threats in electronic messages

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

360 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying threats in electronic messages

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

360 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links