Systems and methods for message threat management

US 8,069,481 B2
Filed: 07/12/2006
Issued: 11/29/2011
Est. Priority Date: 03/08/2002
Status: Active Grant

First Claim

Patent Images

1. A method for operation upon one or more data processors to assign a reputation to a messaging entity, the method comprising:

receiving a communication from a messaging entity;

deriving a risk profile for the communication comprising;

queuing the communication for interrogation by a plurality of interrogation engines, each interrogation engine of a particular type designed to test the communication for a particular security risk;

performing a load evaluation on an interrogation engine of one of the particular types based upon the plurality of interrogation engines queued to interrogate the communication;

determining that the load evaluation exceeds a threshold, and in response adjusting the plurality of the interrogation engines by generating a new instance of an interrogation engine of the one of the particular types based upon the plurality of interrogation engines queued to interrogate the communication;

aggregating output of the plurality of interrogation engines with data associated with previously received communications to form the risk profile for the communication;

determining, using one or more data processors, a reputation score associated with the communication based upon the risk profile;

wherein the reputation score is indicative of reputation of the messaging entity;

wherein the determined reputation score is used in deciding what action is to be taken with respect to communications associated with the messaging entity.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features are extracted from the reduced threat information; these features in conjuntion with configuration data such as goals are used to produce rules. In some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within an acceptable margin of error. The rules are then propagated to one or more application layer security systems.

Citations

17 Claims

1. A method for operation upon one or more data processors to assign a reputation to a messaging entity, the method comprising:
- receiving a communication from a messaging entity;
  
  deriving a risk profile for the communication comprising;
  
  queuing the communication for interrogation by a plurality of interrogation engines, each interrogation engine of a particular type designed to test the communication for a particular security risk;
  
  performing a load evaluation on an interrogation engine of one of the particular types based upon the plurality of interrogation engines queued to interrogate the communication;
  
  determining that the load evaluation exceeds a threshold, and in response adjusting the plurality of the interrogation engines by generating a new instance of an interrogation engine of the one of the particular types based upon the plurality of interrogation engines queued to interrogate the communication;
  
  aggregating output of the plurality of interrogation engines with data associated with previously received communications to form the risk profile for the communication;
  
  determining, using one or more data processors, a reputation score associated with the communication based upon the risk profile;
  
  wherein the reputation score is indicative of reputation of the messaging entity;
  
  wherein the determined reputation score is used in deciding what action is to be taken with respect to communications associated with the messaging entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the determined reputation score is distributed to one or more computer systems for use in filtering transmissions.
  - 3. The method of claim 1, wherein the determined reputation score is locally distributed to a program for use in filtering transmissions.
  - 4. The method of claim 1, further comprising:
    - determining reputation indicative probabilities based upon the communication;
      
      wherein a reputation indicative probability indicates reputability of a messaging entity based upon an extent to which one or more characteristics of the communication exhibit or conform to one or more reputation-related criteria.
  - 5. The method of claim 4, wherein a type of messaging entity to which reputations are assigned is a domain name, IP address, phone number, or individual electronic address or username representing an organization, computer, a message, or individual user that transmits electronic messages.
  - 6. The method of claim 1 further comprising:
    - determining reputation indicative probabilities based upon the communication;
      
      wherein a reputation indicative probability indicates reputability of a messaging entity based upon extent to which one or more characteristics of the communication exhibit or conform to one or more reputation-related criteria, wherein determining a reputation score includes determining the reputation score based upon aggregation of the reputation indicative probabilities.
  - 7. The method of claim 1, wherein the communication comprises one of an electronic message communication, a VoIP communication, an HTTP communication, a FTP communication, an SMS communication, or an MMS communication.
  - 8. The method of claim 1, further comprising adjusting a reputation of the messaging entity based upon the reputation score.
  - 9. The method of claim 1, further comprising signing the communication and subparts of the communication;
    - determining whether the message has been altered based upon signatures produced by the signing operation.
  - 10. The method of claim 1, further comprising:
    - comparing a reputation associated with a first messaging entity to a reputation of a second messaging entity, wherein the first and second messaging entities are associated with each other; and
      
      , reconciling any differences between the first and second messaging entity.
  - 11. The method of claim 10, wherein the first messaging entity is a phone number, and the second messaging entity is an internet protocol address associated with the phone number.
  - 12. The method of claim 2, wherein distributing the reputation score comprises distributing the reputation score to one or more computers that are remote from the one or more data processors.
  - 13. The method of claim 1, wherein adjusting the plurality of the interrogation engines comprises:
    - generating a new index queue;
      
      associating the new index queue with the new instance of the interrogation engine; and
      
      assigning an index associated with the communication to the new index queue so that the new instance of the interrogation engine tests the communication for a particular security risk.

14. A computer-implemented method of performing transmission filtering utilizing reputation scores of transmission sender, the method comprising:
- storing a transmission from a sender in computer memory;
  
  deriving a risk profile for the transmission comprising;
  
  queuing the transmission for interrogation by a plurality of interrogation engines, each interrogation engine of a particular type designed to test the transmission for a particular security risk;
  
  performing a load evaluation on an interrogation engine of one of the particular types based upon the plurality of interrogation engines queued to interrogate the transmission;
  
  determining that the load evaluation exceeds a threshold, and in response adjusting the plurality of the interrogation engines by generating a new instance of an interrogation engine of the one of the particular types based upon the plurality of interrogation engines queued to interrogate the communication;
  
  aggregating output of the plurality of interrogation engines with data associated with previously received transmission to form the risk profile for the transmission;
  
  determining a reputation score associated for the sender based upon the risk profile;
  
  performing, using one or more data processors, an action on the transmission from the sender corresponding to the score range of the reputation score associated with the sender.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, wherein the action includes at least one of the following actions:
    - rejecting all further transmissions from that sender for a period of time or number of transmissions;
      
      silently dropping all further transmissions from that sender for a period of time or number of transmissions;
      
      quarantining all further transmissions from that sender for a period of time or number of transmissions;
      
      orbypassing certain filtering tests for all further transmissions from that sender for a period of time or number of transmissions.
  - 16. The method of claim 14, wherein adjusting the plurality of the interrogation engines comprises:
    - generating a new index queue;
      
      associating the new index queue with the new instance of the interrogation engine; and
      
      assigning an index associated with the communication to the new index queue so that the new instance of the interrogation engine tests the transmission for a particular security risk.

17. A system, comprising:
- a computer processing device; and
  
  a memory device storing instructions executable by the computer processing device that upon such execution cause the computer processing device to perform operations comprising;
  
  receiving a communication from a messaging entity;
  
  deriving a risk profile for the communication comprising;
  
  queuing the communication for interrogation by a plurality of interrogation engines, each interrogation engine of a particular type designed to test the communication for a particular security risk;
  
  performing a load evaluation on a interrogation engine of one of the particular types based upon the plurality of interrogation engines queued to interrogate the communication;
  
  determining that the load evaluation exceeds a threshold, and in response adjusting the plurality of the interrogation engines by generating a new instance of an interrogation engine of the one of the particular types based upon the plurality of interrogation engines queued to interrogate the communication;
  
  aggregating output of the plurality of interrogation engines with data associated with previously received communications to form the risk profile for the communication;
  
  determining, using one or more data processors, a reputation score associated with the communication based upon the risk profile;
  
  wherein the reputation score is indicative of reputation of the messaging entity;
  
  wherein the determined reputation score is used in deciding what action is to be taken with respect to communications associated with the messaging entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Judge, Paul
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
To; Baotran N

Application Number

US11/456,960
Publication Number

US 20060265747A1
Time in Patent Office

1,966 Days
Field of Search

726/13, 726 22- 25, 709206-207, 709/224, 709/229, 713/188
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 51/212   using filtering or selectiv...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Systems and methods for message threat management

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for message threat management

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links