Analyzing traffic patterns to detect infectious messages

US 8,122,508 B2
Filed: 10/29/2007
Issued: 02/21/2012
Est. Priority Date: 07/13/2004
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a malicious message in a stream of incoming messages on a network, the method comprising:

establishing a local subnet traffic pattern based on a stream of messages previously sent over the network and received in a local subnet, the local subnet traffic pattern providing a local subnet baseline built from a collection of messages identified as good messages from the stream of messages previously received in the local subnet;

establishing a threshold describing a range of expected deviation from the local subnet baseline;

collecting data regarding an incoming message at a time of receipt of the incoming message, the incoming message received in the local subnet;

calculating a probability that the incoming message is malicious based on the collected data from the incoming message, the probability indicating a deviation of the collected data from the established local subnet baseline;

identifying a traffic pattern variable associated with traffic streams on the network at the time of receipt of the incoming message, wherein the traffic pattern variable includes information regarding a local traffic pattern of a different local subnet; and

classifying the incoming message as malicious based on the identified traffic pattern variable and the calculated probability that the incoming message is malicious exceeding the established threshold.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Managing electronic messages comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading.

Citations

9 Claims

1. A method of detecting a malicious message in a stream of incoming messages on a network, the method comprising:
- establishing a local subnet traffic pattern based on a stream of messages previously sent over the network and received in a local subnet, the local subnet traffic pattern providing a local subnet baseline built from a collection of messages identified as good messages from the stream of messages previously received in the local subnet;
  
  establishing a threshold describing a range of expected deviation from the local subnet baseline;
  
  collecting data regarding an incoming message at a time of receipt of the incoming message, the incoming message received in the local subnet;
  
  calculating a probability that the incoming message is malicious based on the collected data from the incoming message, the probability indicating a deviation of the collected data from the established local subnet baseline;
  
  identifying a traffic pattern variable associated with traffic streams on the network at the time of receipt of the incoming message, wherein the traffic pattern variable includes information regarding a local traffic pattern of a different local subnet; and
  
  classifying the incoming message as malicious based on the identified traffic pattern variable and the calculated probability that the incoming message is malicious exceeding the established threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the traffic pattern variable includes information regarding a global traffic pattern.
  - 3. The method of claim 1, wherein calculating the probability that the incoming message is malicious includes associating a probability with token sequences in the incoming message.
  - 4. The method of claim 1, in which the collected data includes information regarding a file type of an attachment to the message.
  - 5. The method of claim 1, wherein calculating the probability that the incoming message is malicious includes evaluating a traffic pattern associated with previously received messages having similar probabilities of being malicious.
  - 6. The method of claim 1, wherein calculating the probability that the incoming message is malicious includes evaluating a traffic pattern associated with previously received messages having similar collected data.
  - 7. The method of claim 1, wherein calculating the probability that the incoming message is malicious includes evaluating a traffic pattern associated with previously received messages having similar times of receipt.
  - 8. The method of claim 1, wherein calculating the probability that the incoming message is malicious includes evaluating a traffic pattern associated with previously received messages having similar traffic pattern variables.

9. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method of detecting a malicious message in a stream of incoming messages, the method comprising:
- establishing a local subnet traffic pattern based on a stream of messages previously received by a local subnet, the local subnet traffic pattern providing a local subnet baseline built from a collection of messages identified as good messages from the stream of messages previously received by the local subnet;
  
  establishing a threshold describing a range of expected deviation from the local subnet baseline;
  
  collecting data regarding an incoming message at a time of receipt of the incoming message, the incoming message received by the local subnet;
  
  calculating a probability that the incoming message is malicious based on the collected data from the incoming message, the probability indicating a deviation of the collected data from the established local subnet baseline;
  
  identifying a traffic pattern variable associated with traffic streams on a network at the time of receipt of the message, wherein the traffic pattern variable includes information regarding a local traffic pattern of a different local subnet; and
  
  classifying the incoming message as malicious based on the identified traffic pattern variable and the calculated probability that the incoming message is malicious exceeding the established threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Rihn, Jennifer, Oliver, Jonathan J.
Primary Examiner(s)
Pich, Ponnoreay

Application Number

US11/927,424
Publication Number

US 20080134336A1
Time in Patent Office

1,576 Days
Field of Search

726/24
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Analyzing traffic patterns to detect infectious messages

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Analyzing traffic patterns to detect infectious messages

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links