Analyzing traffic patterns to detect infectious messages
First Claim
Patent Images
1. A method of detecting a malicious message in a stream of incoming messages on a network, the method comprising:
- establishing a local subnet traffic pattern based on a stream of messages previously sent over the network and received in a local subnet, the local subnet traffic pattern providing a local subnet baseline built from a collection of messages identified as good messages from the stream of messages previously received in the local subnet;
establishing a threshold describing a range of expected deviation from the local subnet baseline;
collecting data regarding an incoming message at a time of receipt of the incoming message, the incoming message received in the local subnet;
calculating a probability that the incoming message is malicious based on the collected data from the incoming message, the probability indicating a deviation of the collected data from the established local subnet baseline;
identifying a traffic pattern variable associated with traffic streams on the network at the time of receipt of the incoming message, wherein the traffic pattern variable includes information regarding a local traffic pattern of a different local subnet; and
classifying the incoming message as malicious based on the identified traffic pattern variable and the calculated probability that the incoming message is malicious exceeding the established threshold.
23 Assignments
0 Petitions
Accused Products
Abstract
Managing electronic messages comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading.
-
Citations
9 Claims
-
1. A method of detecting a malicious message in a stream of incoming messages on a network, the method comprising:
-
establishing a local subnet traffic pattern based on a stream of messages previously sent over the network and received in a local subnet, the local subnet traffic pattern providing a local subnet baseline built from a collection of messages identified as good messages from the stream of messages previously received in the local subnet; establishing a threshold describing a range of expected deviation from the local subnet baseline; collecting data regarding an incoming message at a time of receipt of the incoming message, the incoming message received in the local subnet; calculating a probability that the incoming message is malicious based on the collected data from the incoming message, the probability indicating a deviation of the collected data from the established local subnet baseline; identifying a traffic pattern variable associated with traffic streams on the network at the time of receipt of the incoming message, wherein the traffic pattern variable includes information regarding a local traffic pattern of a different local subnet; and classifying the incoming message as malicious based on the identified traffic pattern variable and the calculated probability that the incoming message is malicious exceeding the established threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method of detecting a malicious message in a stream of incoming messages, the method comprising:
-
establishing a local subnet traffic pattern based on a stream of messages previously received by a local subnet, the local subnet traffic pattern providing a local subnet baseline built from a collection of messages identified as good messages from the stream of messages previously received by the local subnet; establishing a threshold describing a range of expected deviation from the local subnet baseline; collecting data regarding an incoming message at a time of receipt of the incoming message, the incoming message received by the local subnet; calculating a probability that the incoming message is malicious based on the collected data from the incoming message, the probability indicating a deviation of the collected data from the established local subnet baseline; identifying a traffic pattern variable associated with traffic streams on a network at the time of receipt of the message, wherein the traffic pattern variable includes information regarding a local traffic pattern of a different local subnet; and classifying the incoming message as malicious based on the identified traffic pattern variable and the calculated probability that the incoming message is malicious exceeding the established threshold.
-
Specification