Systems and methods for message threat management
First Claim
1. A method to classify communications from messaging entities, the method comprising:
- initiating a plurality of interrogation engines, each interrogation engine implementing a message classification technique;
initiating a corresponding plurality of index queues, each index queue associated with one interrogation engine;
storing, in each index queue, indexes that index communications in a order in which its corresponding interrogation engine is to process the communications;
receiving a communication from a messaging entity, wherein the communication is a legitimate e-mail message or spam or a virus or a communication that violates corporate policy;
assigning an index to the communication;
performing a load evaluation in response to receiving the communication;
determining an additional interrogation engine should be initiated based on the load evaluation, and in response to the determination, creating a new index queue and initiating a new interrogation engine, wherein the new index queue is associated with the new interrogation engine;
placing the index assigned to the communication into one or more index queues of the plurality of index queues and the new index queue;
for each of the one or more index queues into which the index is assigned, using the corresponding interrogation engine and message classification technique to classify the communication;
combining, using one or more data processors, results of the message classification techniques to generate a message profile score for the communication; and
wherein the message profile score is used in deciding what action is to be taken with respect to the communication associated with the messaging entity, and the communication is interrogated by a plurality of interrogation engines of different types.
14 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features are extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules. In some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within an acceptable margin of error. The rules are then propagated to one or more application layer security systems.
-
Citations
18 Claims
-
1. A method to classify communications from messaging entities, the method comprising:
-
initiating a plurality of interrogation engines, each interrogation engine implementing a message classification technique; initiating a corresponding plurality of index queues, each index queue associated with one interrogation engine; storing, in each index queue, indexes that index communications in a order in which its corresponding interrogation engine is to process the communications; receiving a communication from a messaging entity, wherein the communication is a legitimate e-mail message or spam or a virus or a communication that violates corporate policy; assigning an index to the communication; performing a load evaluation in response to receiving the communication; determining an additional interrogation engine should be initiated based on the load evaluation, and in response to the determination, creating a new index queue and initiating a new interrogation engine, wherein the new index queue is associated with the new interrogation engine; placing the index assigned to the communication into one or more index queues of the plurality of index queues and the new index queue; for each of the one or more index queues into which the index is assigned, using the corresponding interrogation engine and message classification technique to classify the communication; combining, using one or more data processors, results of the message classification techniques to generate a message profile score for the communication; and wherein the message profile score is used in deciding what action is to be taken with respect to the communication associated with the messaging entity, and the communication is interrogated by a plurality of interrogation engines of different types. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. One or more computer readable media storing instructions that are executable by one or more data processors, and upon such execution cause the one or more data processors to perform operations comprising:
-
initiating a plurality of interrogation engines, each interrogation engine implementing a message classification technique; initiating a corresponding plurality of index queues, each index queue associated with one interrogation engine; storing, in each index queue, indexes that index communications in a order in which its corresponding interrogation engine is to process the communications; receiving a communication that was sent over a network from a messaging entity, wherein the communication is a legitimate e-mail message or spam or a virus or a communication that violates corporate policy; assigning an index to the communication; performing a load evaluation in response to receiving the communication; determining an additional interrogation engine should be initiated based on the load evaluation, and in response to the determination, creating a new index queue and initiating a new interrogation engine, wherein the new index queue is associated with the new interrogation engine; placing the index assigned to the communication into one or more index queues of the plurality of index queues and the new index queue;
for each of the one or more index queues into which the index is assigned, using the corresponding interrogation engine and message classification technique to classify the communication;wherein each message classification technique is associated with a confidence value which is used in generating a message classification output from the message classification technique; combining results of the message classification techniques to generate a message profile score for the communication; and wherein the message profile score is used in deciding what action is to be taken with respect to the communication associated with the messaging entity, and the communication is interrogated by a plurality of interrogation engines of different types. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification