Systems and methods for message threat management

US 8,042,149 B2
Filed: 05/29/2007
Issued: 10/18/2011
Est. Priority Date: 03/08/2002
Status: Expired due to Term

First Claim

Patent Images

1. A data traffic management system, the system comprising:

a communication interface adapted to allow communication between the management system and a network;

a system data store comprising one or more data storage elements, wherein the system data store is capable of storing;

one or more sets of data traffic management goals; and

classification information;

a system processor in communication with the communication interface and the system data store, wherein the system processor comprises one or more processing elements and the one or more processing elements are programmed or adapted to;

receive a data packet directed to or from a recipient system;

apply one or more tests to the received data packet, wherein each of the one or more tests evaluates the received data packet based upon the classification information;

identify a classification associated with the received data packet based upon the applied one or more tests and the classification information, the classification identifying one or more types of traffic comprised by the received data packet identified by the one or more tests; and

throttle traffic associated with the data packet, the throttling based upon the classifications identified for the data packet and based upon the one or more sets of data traffic management goals, and wherein the throttling of traffic throttles excessive numbers of incoming connections per second to levels manageable by internal application servers, and wherein the traffic management goals are derived from goal-based testing comprising;

receiving threat information from one or more sources;

reducing the threat information into a canonical form;

extracting features from the reduced threat information;

producing rules based on the features and the traffic management goals;

testing the rules against sets of test data and comparing the outcome of the testing to the traffic management goals;

refining the rules if one or more tests fail until the tests succeed within an acceptable margin of error; and

propagating the rules to one or more application layer security systems, wherein the application layer security systems, implementing the rules, achieve the traffic management goals.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features are extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules. In some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within an acceptable margin of error. The rules are then propagated to one or more application layer security systems.

Citations

24 Claims

1. A data traffic management system, the system comprising:
- a communication interface adapted to allow communication between the management system and a network;
  
  a system data store comprising one or more data storage elements, wherein the system data store is capable of storing;
  
  one or more sets of data traffic management goals; and
  
  classification information;
  
  a system processor in communication with the communication interface and the system data store, wherein the system processor comprises one or more processing elements and the one or more processing elements are programmed or adapted to;
  
  receive a data packet directed to or from a recipient system;
  
  apply one or more tests to the received data packet, wherein each of the one or more tests evaluates the received data packet based upon the classification information;
  
  identify a classification associated with the received data packet based upon the applied one or more tests and the classification information, the classification identifying one or more types of traffic comprised by the received data packet identified by the one or more tests; and
  
  throttle traffic associated with the data packet, the throttling based upon the classifications identified for the data packet and based upon the one or more sets of data traffic management goals, and wherein the throttling of traffic throttles excessive numbers of incoming connections per second to levels manageable by internal application servers, and wherein the traffic management goals are derived from goal-based testing comprising;
  
  receiving threat information from one or more sources;
  
  reducing the threat information into a canonical form;
  
  extracting features from the reduced threat information;
  
  producing rules based on the features and the traffic management goals;
  
  testing the rules against sets of test data and comparing the outcome of the testing to the traffic management goals;
  
  refining the rules if one or more tests fail until the tests succeed within an acceptable margin of error; and
  
  propagating the rules to one or more application layer security systems, wherein the application layer security systems, implementing the rules, achieve the traffic management goals.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the system processor is operable to receive instructions to throttle specific classifications of electronic communications.
  - 3. The system of claim 1, wherein the system processor is operable to evaluate the classification of the data packet against a rule set associated with the communications to determine whether to throttle the traffic associated.
  - 4. The system of claim 1, wherein the data store further comprises a plurality of evaluation queues, each of the evaluation queues being associated with one of the plurality of tests and defining an order in which the electronic communications are tested.
  - 5. The system of claim 4, wherein the system processor is operable to advance an electronic message, packet or stream based upon the data packet comprising a high priority classification to throttle traffic associated with the data packet.
  - 6. The system of claim 1, wherein the classifications comprise one or more of business email, personal email, chain letters, adult language, porn, web product offerings, newsletters, mailing lists, trojans, financial transactions, games, downloads, entertainment, application service providers, business applications, worms or viruses.
  - 7. The system of claim 1, wherein the system processor derives classification information from a plurality of data packets of a known classification.
  - 8. The system of claim 1, wherein the system processor receives classification information from a spam database, a virus information database, an intrusion information database or combinations thereof.
  - 9. The system of claim 8, wherein each classification of undesirable traffic is assigned a value that corresponds to a level of undesirability for the classification.
  - 10. The system of claim 1, further comprising forwarding traffic associated with the data packet based on the classification associated with the data packet.
  - 11. The system of claim 1, wherein the system processor is operable to allow traffic associated with the data packet to be processed more quickly to throttle traffic associated with the data packet.

12. A computer-implemented method comprising:
- receiving a traffic stream through a communication interface, the traffic stream comprising a plurality of data packets;
  
  storing the packets in computer memory;
  
  applying a plurality of tests to at least one of the plurality of data packets, each of the plurality of tests being operable to identify a characteristic associated with said at least one of the plurality of data packets;
  
  determining a classification associated with the traffic stream based upon results associated with each of the application of the plurality of tests to said at least one of the plurality of data packets; and
  
  throttling, using one or more processors, the traffic stream based upon the determined classification associated with the traffic stream and based upon the one or more sets of data traffic management goals, wherein the throttling of the traffic stream throttles excessive numbers of incoming connections per second to levels manageable by internal application servers, and wherein the traffic management goals are derived from goal-based testing comprising;
  
  receiving threat information from one or more sources;
  
  reducing the threat information into a canonical form;
  
  extracting features from the reduced threat information;
  
  producing rules based on the features and the traffic management goals;
  
  testing the rules against sets of test data and comparing the outcome of the testing to the traffic management goals;
  
  refining the rules if one or more tests fail until the tests succeed within an acceptable margin of error; and
  
  propagating the rules to one or more application layer security systems, wherein the application layer security systems, implementing the rules, achieve the traffic management goals.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12, wherein the classifications comprise one or more of business email, personal email, chain letters, adult language, porn, web product offerings, newsletters, mailing lists, trojans, financial transactions, worms or viruses.
  - 14. The method of claim 13, wherein the plurality of tests are operable to further derive similarities to previously received messages having a known classification.
  - 15. The method of claim 13, further comprising weighting the results of each of the plurality of tests based upon a correlation between the characteristic identified by the test and a particular classification of traffic.
  - 16. The method of claim 13, wherein the traffic streams are throttled based upon a traffic management policy.
  - 17. The method of claim 12, further comprising receiving instructions to throttle specific classifications of electronic communications, and wherein throttling the traffic streams is based upon receipt of the instructions.
  - 18. The method of claim 12, further comprising evaluating the classification of the data packet against a rule set associated with the communications to determine whether to throttle the traffic associated.
  - 19. The method of claim 12, further comprising deriving the plurality of tests from data packets of known classification.
  - 20. The method of claim 12, wherein each classification is assigned a value that corresponds to a level of undesirability associated with the classification, and association of the traffic stream with the classification associates the traffic stream with the corresponding level of undesirability associated with the classification.
  - 21. The method of claim 12, further comprising forwarding the traffic stream to a recipient of the traffic stream based upon the classification associated with the data packets comprising the traffic stream.

22. Non-transitory computer readable media storing instructions that upon execution are operable to cause one or more processors to perform operations comprising:
- receiving a traffic stream comprising a plurality of data packets;
  
  applying a plurality of tests to at least one of the plurality of data packets, each of the plurality of tests being operable to identify a characteristic associated with the traffic stream, the characteristics comprising points of comparison between the traffic stream and known classifications of traffic streams;
  
  determining a classification associated with the traffic stream based upon results associated with each of the application of the plurality of tests to said at least one of the plurality of data packets;
  
  throttling the traffic stream based upon the determined classification associated with the traffic stream and based upon the one or more sets of data traffic management goals, and wherein the throttling of the traffic stream throttles excessive numbers of incoming connections per second to levels manageable by internal application servers, and wherein the traffic management goals are derived from goal-based testing comprising;
  
  receiving threat information from one or more sources;
  
  reducing the threat information into a canonical form;
  
  extracting features from the reduced threat information;
  
  producing rules based on the features and the traffic management goals;
  
  testing the rules against sets of test data and comparing the outcome of the testing to the traffic management goals;
  
  refining the rules if one or more tests fail until the tests succeed within an acceptable margin of error; and
  
  propagating the rules to one or more application layer security systems, wherein the application layer security systems, implementing the rules, achieve the traffic management goals.
- View Dependent Claims (23, 24)
- - 23. The non-transitory computer readable media of claim 22, wherein the classifications comprise one or more of business email, personal email, chain letters, adult language, porn, web product offerings, newsletters, mailing lists, trojans, financial transactions, worms or viruses.
  - 24. The non-transitory computer readable media of claim 22, further operable to cause the processor to perform the step of weighting the results of each of the plurality of tests based upon a correlation between the characteristic identified by the test and a particular classification of traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Judge, Paul
Primary Examiner(s)
Song; Hosuk
Assistant Examiner(s)
To; Baotran N

Application Number

US11/754,669
Publication Number

US 20070300286A1
Time in Patent Office

1,603 Days
Field of Search

726/1, 726/22, 726/23, 726/24, 726/25, 726/11, 726/12, 726/13, 713/188, 709/223, 709/224, 709/229
US Class Current

726/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 51/212   using filtering or selectiv...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Systems and methods for message threat management

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for message threat management

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links