Method of and system for, processing email

US 7,877,807 B2
Filed: 07/06/2001
Issued: 01/25/2011
Est. Priority Date: 07/07/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A system for processing email to detect the spread of previously unknown viruses which comprises:

a computing system programmed for;

monitoring email traffic passing through one or more nodes of a network, this monitoring comprising;

analyzing emails to determine if they meet one or more predefined criteria, the predefined criteria indicating whether it is possible that a given email contains a virus, the predefined criteria including at least one of the given email having an attachment that is executable by the computing system, the given email having an executable attachment that is wrapped in a container, the given email containing an attachment having illegal formatting;

logging details about emails that meet one or more of the predefined criteria to a local database, the details at least including at least two of the message digest of the subject of each logged email, a message digest of the message of each logged email if such a message was included with the email, a message digest of an attachment to the email if such an attachment was included with the email, and a message digest of the sender of each logged email, and the number of intended recipients of the email;

assigning a suspiciousness score to each of the emails within the database that thus meet one or more of the predefined criteria, the suspiciousness score for each email relating to a degree of suspiciousness of a particular email according to one or more suspiciousness criteria the particular email meets, the suspiciousness criteria being different than the predefined criteria, the suspiciousness score being calculated using an algorithm which takes into account how similar the emails are to other emails in the database, and how many such similar emails have been received during a predefined length of time of 180 minutes or less, the suspiciousness score increasing as the number of similar emails received increases over the predefined length of time;

searching the local database for patterns of recent email traffic which are indicative of, or suggestive of, the spread of a previously unknown email-borne virus, by applying a predetermined set of pattern criteria to attributes of the recent email traffic, the set of pattern criteria including criteria which relate to a plurality of constituent parts of recently arrived emails making up at least a portion of the recent email traffic, the recently arrived emails being emails that have arrived during the predefined length of time;

detecting the suspected presence of a previously unknown email virus based on a detected pattern of email traffic which is indicative of, or suggestive of, the spread of a previously unknown email-borne virus; and

,initiating, once such a pattern is detected which meets predefined threshold criteria, a remedial action, wherein the remedial action is selected from among an automatic remedial action, alerting an operator and both an automatic remedial action and alerting an operator, the remedial action being at least partly determined by the degree of suspiciousness associated with the detected pattern of email traffic.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for processing emails incorporates means for dealing with previously unknown viruses. The system monitors email traffic patterns to identify patterns characteristic of a virus outbreak and takes corrective action when an outbreak is detected. Individual emails are analysed and, if any one of the constituent parts contains content in which it is possible to contain a virus, characteristic data derived from the email is logged to a database which is scanned for outbreak-indicating traffic patterns.

109 Citations

View as Search Results

22 Claims

1. A system for processing email to detect the spread of previously unknown viruses which comprises:
- a computing system programmed for;
  
  monitoring email traffic passing through one or more nodes of a network, this monitoring comprising;
  
  analyzing emails to determine if they meet one or more predefined criteria, the predefined criteria indicating whether it is possible that a given email contains a virus, the predefined criteria including at least one of the given email having an attachment that is executable by the computing system, the given email having an executable attachment that is wrapped in a container, the given email containing an attachment having illegal formatting;
  
  logging details about emails that meet one or more of the predefined criteria to a local database, the details at least including at least two of the message digest of the subject of each logged email, a message digest of the message of each logged email if such a message was included with the email, a message digest of an attachment to the email if such an attachment was included with the email, and a message digest of the sender of each logged email, and the number of intended recipients of the email;
  
  assigning a suspiciousness score to each of the emails within the database that thus meet one or more of the predefined criteria, the suspiciousness score for each email relating to a degree of suspiciousness of a particular email according to one or more suspiciousness criteria the particular email meets, the suspiciousness criteria being different than the predefined criteria, the suspiciousness score being calculated using an algorithm which takes into account how similar the emails are to other emails in the database, and how many such similar emails have been received during a predefined length of time of 180 minutes or less, the suspiciousness score increasing as the number of similar emails received increases over the predefined length of time;
  
  searching the local database for patterns of recent email traffic which are indicative of, or suggestive of, the spread of a previously unknown email-borne virus, by applying a predetermined set of pattern criteria to attributes of the recent email traffic, the set of pattern criteria including criteria which relate to a plurality of constituent parts of recently arrived emails making up at least a portion of the recent email traffic, the recently arrived emails being emails that have arrived during the predefined length of time;
  
  detecting the suspected presence of a previously unknown email virus based on a detected pattern of email traffic which is indicative of, or suggestive of, the spread of a previously unknown email-borne virus; and
  
  ,initiating, once such a pattern is detected which meets predefined threshold criteria, a remedial action, wherein the remedial action is selected from among an automatic remedial action, alerting an operator and both an automatic remedial action and alerting an operator, the remedial action being at least partly determined by the degree of suspiciousness associated with the detected pattern of email traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the remedial action is selected from among:
    - a) at least temporarily stopping the passage of the emailsb) notifying the senderc) notifying the intended recipient(s)d) disinfecting the emaile) generating a signal to alert a human operator.
  - 3. The system of claim 1 and including sending a message identifying suspect emails to an automated email server.
  - 4. The system of claim 1 and including processing infected emails to disinfect them or to disarm a virus therein.
  - 5. The system of claim 1 and including inserting in emails not taken to be virus infected, a message indicating that the email has been processed.
  - 6. The system of claim 1, further comprising:
    - while searching the database for patterns of email traffic which are indicative of, or suggestive of, the spread of a previously unknown email-borne virus applying different numerical weights to different suspiciousness criteria.
  - 7. The system of claim 1, wherein, in the applying of the predetermined set of suspiciousness criteria, a set of emails is assigned a numerical score calculated according to a selected combination of said criteria and is detected as being a said pattern of email traffic if the score exceeds a predetermined threshold.
  - 8. The system of claim 1, wherein logging details about emails includes logging of a digest of any one or more of:
    - the message text;
      
      the subject line;
      
      the first few characters of the text part of the email;
      
      the first text part of the email;
      
      the first attachment;
      
      the sender;
      
      orthe first recipient.
  - 9. The system of claim 1, wherein said criteria include any one or more of:
    - a criterion that an email contains inconsistent capitalization;
      
      a criterion that an email has line break or other white space composition in message headers inconsistent with the indicated generator of the email;
      
      a criterion that an email has non-standard ordering of header elements;
      
      a criterion that an email has missing or additional header elements;
      
      a criterion that an email has inconsistent message ID information;
      
      a criterion that an email has a boundary format inconsistent with the indicated generator of the email;
      
      a criterion that the message part of an email is encrypted to defeat linguistic analysis;
      
      a criterion that an email has an empty message sender envelope;
      
      a criterion that an email has an invalid message sender address;
      
      a criterion that an email has a message sender address which does not match the mail server from which it was sent;
      
      a criterion that emails are addressed to recipients in alphabetical, or reverse alphabetical, order;
      
      a criterion that emails are sent to a particular email address and then exit multiply from the same email address and/or similar email addresses;
      
      a criterion that emails contain the same structural format;
      
      a criterion that emails contain the same unusual headers;
      
      a criterion that emails contain the same structural quirk;
      
      ora criterion that an email originates from a particular IP address or an address in a range of IP addresses.
  - 10. The system of claim 1, wherein the suspiciousness criteria are selected from among:
    - length of message, number of attachments, sender IP address, and digest of first attachment.
  - 11. The system of claim 1, wherein constituent parts of the emails are selected from among:
    - the subject line, recipients, message text and attachments.

12. A computer-implemented system, in or for a computer network over which users send one another emails, for processing email to detect the spread of previously unknown viruses which comprises:
- a means for monitoring email traffic passing through one or more nodes of the network, wherein the means comprises;
  
  a means for analyzing emails to determine if they meet one or more predefined criteria, the predefined criteria indicating whether it is possible that a given email contains a virus, the predefined criteria including at least one of the given email having an attachment that is executable by the computing system, the given email having an executable attachment that is wrapped in a container, the given email containing an attachment having illegal formatting;
  
  a means for logging details about emails that meet one or more of the predefined criteria to a local database, the details at least including at least two of the message digest of the subject of each logged email, a message digest of the message of each logged email if such a message was included with the email, a message digest of an attachment to the email if such an attachment was included with the email, and a message digest of the sender of each logged email, and the number of intended recipients of the email;
  
  a means for assigning a suspiciousness score to each of the emails within the database that thus meet one or more of the predefined criteria, the suspiciousness score for each email relating to a degree of suspiciousness of a particular email according to one or more suspiciousness criteria the particular email meets, the suspiciousness criteria being different than the predefined criteria, the suspiciousness score being calculated using an algorithm which takes into account how similar the emails are to other emails in the database, and how many such similar emails have been received during a predefined length of time of 180 minutes or less, the suspiciousness score increasing as the number of similar emails received increases over the predefined length of time;
  
  a means for searching the local database for patterns of recent email traffic which are indicative of, or suggestive of, the spread of a previously unknown email-borne virus, by applying a predetermined set of pattern criteria to attributes of the recent email traffic, the set of pattern criteria including criteria which relate to a plurality of constituent parts of recently arrived emails making up at least a portion of the recent email traffic, the recently arrived emails being emails that have arrived during the predefined length of time;
  
  a means for detecting the suspected presence of a previously unknown email virus based on a detected pattern of email traffic which is indicative of, or suggestive of, the spread of a previously unknown email-borne virus; and
  
  a means for initiating, operative once such a pattern is detected which meets predefined threshold criteria, a remedial action, wherein the remedial action is selected from among an automatic remedial action, alerting an operator and both an automatic remedial action and alerting an operator, the remedial action being at least partly determined by the degree of suspiciousness associated with the detected pattern of email traffic.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The computer-implemented system according to claim 12 and including means for sending a message identifying suspect emails to an automated email server.
  - 15. The computer-implemented system according to claim 12 and including means for processing infected emails to disinfect them or to disarm a virus therein.
  - 16. The computer-implemented system according to claim 12 and including means for inserting in emails not taken to be virus infected, a message indicating that the email has been processed.
  - 17. The computer-implemented system according to claim 12, wherein the means for searching the database for patterns of email traffic which are indicative of, or suggestive of, the spread of a previously unknown email-borne virus is operative to apply different numerical weights to different suspiciousness criteria.
  - 18. The computer-implemented system according to claim 12, wherein, the means for searching the database for patterns of email traffic which are indicative of, or suggestive of, the spread of a previously unknown email-borne virus is operative, in the applying of the predetermined set of suspiciousness criteria, to assign a set of emails a numerical score calculated according to a selected combination of said criteria, and to detect the set of emails as a said pattern of email traffic when the score exceeds a predetermined threshold.
  - 19. The computer-implemented system according to claim 12, wherein the means for logging details about emails to a database is operative to log details about emails including a digest of any one or more of:
    - the message text;
      
      the subject line;
      
      the first few characters of the text part of the email;
      
      the first text part of the email;
      
      the first attachment;
      
      the sender;
      
      orthe first recipient.
  - 20. The computer-implemented system according to claim 12, wherein said criteria include any one or more of:
    - a criterion that an email contains inconsistent capitalization;
      
      a criterion that an email has line break or other white space composition in message headers inconsistent with the indicated generator of the email;
      
      a criterion that an email has non-standard ordering of header elements;
      
      a criterion that an email has missing or additional header elements;
      
      a criterion that an email has inconsistent message ID information;
      
      a criterion that an email has a boundary format inconsistent with the indicated generator of the email;
      
      a criterion that the message part of an email is encrypted to defeat linguistic analysis;
      
      a criterion that an email has an empty message sender envelope;
      
      a criterion that an email has an invalid message sender address;
      
      a criterion that an email has a message sender address which does not match the mail server from which it was sent;
      
      a criterion that emails are addressed to recipients in alphabetical, or reverse alphabetical, order;
      
      a criterion that emails are sent to a particular email address and then exit multiply from the same email address and/or similar email addresses;
      
      a criterion that emails contain the same structural format;
      
      a criterion that emails contain the same unusual headers;
      
      a criterion that emails contain the same structural quirk;
      
      ora criterion that an email originates from a particular IP address or an address in a range of IP addresses.
  - 21. The computer-implemented system according to claim 12, wherein the suspiciousness criteria are selected from among:
    - length of message, number of attachments, sender IP address, and digest of first attachment.
  - 22. The computer-implemented system according to claim 12, wherein constituent parts of the emails are selected from among:
    - the subject line, recipients, message text and attachments.

13. The computer-implemented system according to Ccaim 12, wherein the means for initiating is operative such that the remedial action includes any or all of the following, in relation to each email which conforms to the detected pattern:
- a) at least temporarily stopping the passage of the emails;
  
  b) notifying the sender;
  
  c) notifying the intended recipient(s);
  
  d) disinfecting the email; and
  
  e) generating a signal to alert a human operator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Shipp, Alexander
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Powers; William S

Application Number

US10/332,552
Publication Number

US 20040054498A1
Time in Patent Office

3,490 Days
Field of Search

726/24, 726/22
US Class Current

726/24
CPC Class Codes

G06F 21/562   Static detection

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 51/234   for tracking messages

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

Method of and system for, processing email

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method of and system for, processing email

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links