Use of global intelligence to make local information classification decisions
First Claim
Patent Images
1. A method comprising:
- performing, by an anti-spam engine of a network of a plurality of anti-spam engines participating in a global intelligence network, an initial spam detection process on an electronic mail (e-mail) message received from a sender, the initial spam detection process including (i) considering a spam score associated with the e-mail message by forming a signature of the e-mail message based on attributes extracted from the e-mail message and querying a remote server associated with the global intelligence network that maintains and updates spam score information based on direct or indirect observations and analysis of queries from the plurality of anti-spam engines, (ii) considering a sender Internet Protocol (IP) reputation associated with the sender by evaluating reputation information supplied by a remote reputation server associated with the global intelligence network and (iii) applying, to the e-mail message, heuristic rules, which are updated by a remote heuristic rule update server associated with the global intelligence network to adapt to changes in spam trends observed by the global intelligence network based on direct or indirect observations and analysis of query volume or patterns for e-mail message signatures received from the plurality of anti-spam engines;
attempting to classify the received e-mail message, by the anti-spam engine, as clean or spam based on the initial spam detection process;
if the received e-mail message cannot be unambiguously classified as being clean or spam in real-time based on the initial spam detection process, then providing, by the anti-spam engine, an opportunity for global intelligence to be gathered by the global intelligence network regarding the e-mail message or e-mail messages having similar attributes by queuing the e-mail message for a re-evaluation spam detection process to be performed at a later time;
classifying, by the anti-spam engine, the queued e-mail message by performing the re-evaluation spam detection process, including re-evaluation of the spam score, re-evaluation of the sender IP reputation and reapplication of the heuristic rules, the re-evaluation spam detection process providing a more accurate categorization result than the initial spam detection process;
handling the queued e-mail message, by the anti-spam engine, in accordance with a policy associated with the more accurate categorization result; and
wherein the anti-spam engine is implemented in one or more processors and one or more computer-readable storage media of one or more computer systems, the one or more computer-readable storage media having instructions tangibly embodied therein representing the anti-spam engine that are executable by the one or more processors.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems are provided for delaying local information classification until global intelligence has an opportunity to be gathered. According to one embodiment, an initial information identification process, e.g., an initial spam detection, is performed on received electronic information, e.g., an e-mail message. Based on the initial information identification process, classification of the received electronic information is attempted. If the received electronic information cannot be unambiguously classified as being within one of a set of predetermined categories (e.g., spam or clean), then an opportunity is provided for global intelligence to be gathered regarding the received electronic information by queuing the received electronic information for re-evaluation. The electronic information is subsequently classified by performing a re-evaluation information identification process, e.g., re-evaluation spam detection, which provides a more accurate categorization result than the initial information identification process. Handling the electronic information in accordance with a policy associated with the categorization result.
35 Citations
14 Claims
-
1. A method comprising:
-
performing, by an anti-spam engine of a network of a plurality of anti-spam engines participating in a global intelligence network, an initial spam detection process on an electronic mail (e-mail) message received from a sender, the initial spam detection process including (i) considering a spam score associated with the e-mail message by forming a signature of the e-mail message based on attributes extracted from the e-mail message and querying a remote server associated with the global intelligence network that maintains and updates spam score information based on direct or indirect observations and analysis of queries from the plurality of anti-spam engines, (ii) considering a sender Internet Protocol (IP) reputation associated with the sender by evaluating reputation information supplied by a remote reputation server associated with the global intelligence network and (iii) applying, to the e-mail message, heuristic rules, which are updated by a remote heuristic rule update server associated with the global intelligence network to adapt to changes in spam trends observed by the global intelligence network based on direct or indirect observations and analysis of query volume or patterns for e-mail message signatures received from the plurality of anti-spam engines; attempting to classify the received e-mail message, by the anti-spam engine, as clean or spam based on the initial spam detection process; if the received e-mail message cannot be unambiguously classified as being clean or spam in real-time based on the initial spam detection process, then providing, by the anti-spam engine, an opportunity for global intelligence to be gathered by the global intelligence network regarding the e-mail message or e-mail messages having similar attributes by queuing the e-mail message for a re-evaluation spam detection process to be performed at a later time; classifying, by the anti-spam engine, the queued e-mail message by performing the re-evaluation spam detection process, including re-evaluation of the spam score, re-evaluation of the sender IP reputation and reapplication of the heuristic rules, the re-evaluation spam detection process providing a more accurate categorization result than the initial spam detection process; handling the queued e-mail message, by the anti-spam engine, in accordance with a policy associated with the more accurate categorization result; and wherein the anti-spam engine is implemented in one or more processors and one or more computer-readable storage media of one or more computer systems, the one or more computer-readable storage media having instructions tangibly embodied therein representing the anti-spam engine that are executable by the one or more processors. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory program storage device readable by one or more processors of a computer system, tangibly embodying a program of instructions executable by the one or more processors to perform method steps for performing spam detection, said method steps comprising:
-
performing, by an anti-spam engine of a network of a plurality of anti-spam engines participating in a global intelligence network, an initial spam detection process on an electronic mail (e-mail) message received from a sender, the initial spam detection process including (i) considering a spam score associated with the e-mail message by forming a signature of the e-mail message based on attributes extracted from the e-mail message and querying a remote server associated with the global intelligence network that maintains and updates spam score information based on direct or indirect observations and analysis of queries from the plurality of anti-spam engines, (ii) considering a sender Internet Protocol (IP) reputation associated with the sender by evaluating reputation information supplied by a remote reputation server associated with the global intelligence network and (iii) applying, to the e-mail message, heuristic rules, which are updated by a remote heuristic rule update server associated with the global intelligence network to adapt to changes in spam trends observed by the global intelligence network based on direct or indirect observations and analysis of query volume or patterns for e-mail message signatures received from the plurality of anti-spam engines; attempting to classify the received e-mail message as clean or spam based on the initial spam detection process; if the received e-mail message cannot be unambiguously classified as being clean or spam in real-time based on the initial spam detection process, then providing an opportunity for global intelligence to be gathered by the global intelligence network regarding the e-mail message or e-mail messages having similar attributes by queuing the e-mail message for a re-evaluation spam detection process to be performed at a later time; classifying the queued e-mail message by performing the re-evaluation spam detection process, including re-evaluation of the spam score, re-evaluation of the sender IP reputation and reapplication of the heuristic rules, the re-evaluation spam detection process providing a more accurate categorization result than the initial spam detection process; and handling the queued e-mail message in accordance with a policy associated with the more accurate categorization result. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeFortinet Inc.
-
Original AssigneeFortinet Inc.
-
InventorsLin, Kunhua
-
Primary Examiner(s)Chankong, Dohm
-
Assistant Examiner(s)UTREJA, NEERAJ K
-
Application NumberUS11/847,334Publication NumberTime in Patent Office1,608 DaysField of Search709/206US Class Current709/206CPC Class CodesG06F 2221/2101 Auditing as a secondary aspectH04L 51/212 using filtering or selectiv...H04L 63/123 received data contents, e.g...H04L 63/126 the source of the received ...H04L 63/1408 by monitoring network traff...H04L 69/16 Implementation or adaptatio...
