Image spam filtering based on senders' intention analysis

US 8,180,837 B2
Filed: 05/04/2008
Issued: 05/15/2012
Est. Priority Date: 10/31/2007
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

converting, by an anti-spam module, an embedded image of an electronic mail (email) message to a binarized representation by performing thresholding on a grayscale representation of the embedded image;

quantifying, by the anti-spam module, a number of text strings that are included in the embedded image by analyzing one or more blocks of the binarized representation with a text string measurement algorithm;

classifying, by the anti-spam module, the email message as spam or clean based at least in part on the number of text strings;

wherein the anti-spam module is implemented in one or more processors and one or more non-transitory computer-readable storage media of one or more computer systems, the one or more non-transitory computer-readable storage media having instructions tangibly embodied therein representing the anti-spam module that are executable by the one or more processors; and

wherein the one or more blocks comprise M×

N virtual blocks and wherein the text string measurement algorithm employs equations having a general form as follows;

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for an anti-spam detection module that can detect image spam are provided. According to one embodiment, an image spam detection process involves determining and measuring various characteristics of images that may be embedded within or otherwise associated with an electronic mail (email) message. An approximate display location of the embedded images is determined. The existence of one or more abnormal factors associated with the embedded images is identified. A quantity of text included in the one or more embedded images is determined and measured by analyzing one or more blocks of binarized representations of the one or more embedded images. Finally, the likelihood that the email message is spam is determined based on one or more of the approximate display location, the existence of one or more abnormal factors and the quantity and location of text measured.

35 Citations

View as Search Results

41 Claims

1. A computer-implemented method comprising:
- converting, by an anti-spam module, an embedded image of an electronic mail (email) message to a binarized representation by performing thresholding on a grayscale representation of the embedded image;
  
  quantifying, by the anti-spam module, a number of text strings that are included in the embedded image by analyzing one or more blocks of the binarized representation with a text string measurement algorithm;
  
  classifying, by the anti-spam module, the email message as spam or clean based at least in part on the number of text strings;
  
  wherein the anti-spam module is implemented in one or more processors and one or more non-transitory computer-readable storage media of one or more computer systems, the one or more non-transitory computer-readable storage media having instructions tangibly embodied therein representing the anti-spam module that are executable by the one or more processors; and
  
  wherein the one or more blocks comprise M×
  
  N virtual blocks and wherein the text string measurement algorithm employs equations having a general form as follows;
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the embedded image is conveyed formatted in accordance with Graphic Interchange Format (GIF), Joint Photographic Experts Group (JPEG) or Portable Network Graphics (PNG).
  - 3. The method of claim 1, wherein the embedded image comprises an image contained within a file attached to the email message.
  - 4. The method of claim 2, further comprising determining an approximate display location of an embedded image within an electronic mail (email) message.
  - 5. The method of claim 2, further comprising identifying existence of one or more abnormal factors associated with the embedded image.

6. A computer-implemented method comprising:
- determining, by an anti-spam module, an approximate display location of one or more embedded images within an electronic mail (email) message;
  
  identifying, by the anti-spam module, existence of one or more abnormal factors associated with the one or more embedded images;
  
  quantifying, by the anti-spam module, a number of text strings that are included in the embedded image by analyzing one or more blocks of the binarized representation with a text string measurement algorithm;
  
  classifying, by the anti-spam module, the email message as spam or clean based on the approximate display location, the existence of one or more abnormal factors and the number of text strings;
  
  wherein the anti-spam module is implemented in one or more processors and one or more non-transitory computer-readable storage media of one or more computer systems, the one or more non-transitory computer-readable storage media having instructions tangibly embodied therein representing the anti-spam module that are executable by the one or more processors; and
  
  wherein the one or more blocks comprise M×
  
  N virtual blocks and wherein the text string measurement algorithm employs equations having a general form as follows;
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 7. The method of claim 6, further comprising performing image thresholding on grayscale representations of the one or more embedded images.
  - 8. The method of claim 6, wherein the email message comprises a HyperText Markup Language (HTML) formatted email message or an eXtensible Markup Language (XML) formatted email message.
  - 9. The method of claim 8, wherein said determining an approximate display location of one or more embedded images comprises parsing one or more of HTML code, plain text and Multipurpose Internet Mail Extension (MIME) parts of the HTML formatted email message.
  - 10. The method of claim 9, wherein said determining an approximate display location of one or more embedded images further comprises identifying a displaying line of the email message just prior to the one or more embedded images and calculating the approximate displaying location based on a display location of the displaying line.
  - 11. The method of claim 6, wherein a portion of the text included in the one or more embedded images comprises light text in the context of a dark background.
  - 12. The method of claim 6, wherein a portion of the text included in the one or more embedded images comprises dark text in the context of a light background.
  - 13. The method of claim 6, wherein the one or more abnormal factors include illegal base64 encoding, a plurality of continuous images within one HyperText Markup Language (HTML) part, lower entropy of frames in an animated Graphic Interchange Format (GIF) image or illegal chunk data of Portable Network Graphics (PNG) image.
  - 14. The method of claim 6, wherein image data associated with an embedded image of the one or more embedded images is sent with the email message.
  - 15. The method of claim 6, wherein image data associated with an embedded image of the one or more embedded images is retrieved once a recipient views the email message.
  - 16. The method of claim 6, wherein an embedded image of the one or more embedded images is contained within a file attached to the email message.
  - 17. The method of claim 16, wherein the attached file comprises a Portable Document Format (PDF) file, an Encapsulated PostScript file, a SWF file, a Windows Metafile file, an AutoCAD DXF file or a CorelDraw CDR file.
  - 18. The method of claim 6, wherein file formats of the one or more embedded images are selected from a group comprising Graphic Interchange Format (GIF), Joint Photographic Experts Group (JPEG) and Portable Network Graphics (PNG), Progressive Graphics File (PGF), Tagged Image File Format (TIFF), bit mapped format (BMP), HDP, WDP, XPM, MacOS-PICT, Irix-RGB, Multiresolution Seamless Image Database (MrSID), RAW format, vector format, Scalable Vector Graphics (SVG), Portable Document Format (PDF), Encapsulated PostScript, SWF, Windows Metafile, AutoCAD DXF and CorelDraw CDR.

19. A non-transitory computer-readable storage medium having tangibly embodied thereon instructions, which when executed by one or more processors of one or more computer systems cause the one or more processors to perform a method comprising:
- converting an embedded image of an electronic mail (email) message to a binarized representation by performing thresholding on a grayscale representation of the embedded image;
  
  quantifying, by the anti-spam module, a number of text strings that are included in the embedded image by analyzing one or more blocks of the binarized representation with a text string measurement algorithm;
  
  classifying, by the anti-spam module, the email message as spam or clean based at least in part on the number of text strings; and
  
  wherein the one or more blocks comprise M×
  
  N virtual blocks and wherein the text string measurement algorithm employs equations having a general form as follows;
- View Dependent Claims (20, 21, 22, 23)
- - 20. The computer-readable storage medium of claim 19, wherein the embedded image is conveyed formatted in accordance with Graphic Interchange Format (GIF), Joint Photographic Experts Group (JPEG) or Portable Network Graphics (PNG).
  - 21. The computer-readable storage medium of claim 19, wherein the embedded image comprises an image contained within a file attached to the email message.
  - 22. The computer-readable storage medium of claim 20, wherein the method further comprises determining an approximate display location of an embedded image within an electronic mail (email) message.
  - 23. The computer-readable storage medium of claim 20, wherein the method further comprises identifying existence of one or more abnormal factors associated with the embedded image.

24. A non-transitory computer-readable storage medium having tangibly embodied thereon instructions, which when executed by one or more processors of one or more computer systems cause the one or more processors to perform a method comprising:
- determining an approximate display location of one or more embedded images within an electronic mail (email) message;
  
  identifying existence of one or more abnormal factors associated with the one or more embedded images;
  
  quantifying, by the anti-spam module, a number of text strings that are included in the embedded image by analyzing one or more blocks of the binarized representation with a text string measurement algorithm; and
  
  classifying, by the anti-spam module, the email message as spam or clean based on the approximate display location, the existence of one or more abnormal factors and the number of text strings; and
  
  wherein the one or more blocks comprise M×
  
  N virtual blocks and wherein the text string measurement algorithm employs equations having a general form as follows;
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 25. The computer-readable storage medium of claim 24, wherein the method further comprises performing image thresholding on grayscale representations of the one or more embedded images.
  - 26. The computer-readable storage medium of claim 24, wherein the email message comprises a HyperText Markup Language (HTML) formatted email message or an eXtensible Markup Language (XML) formatted email message.
  - 27. The computer-readable storage medium of claim 26, wherein said determining an approximate display location of one or more embedded images comprises parsing one or more of HTML code, plain text and Multipurpose Internet Mail Extension (MIME) parts of the HTML formatted email message.
  - 28. The computer-readable storage medium of claim 27, wherein said determining an approximate display location of one or more embedded images further comprises identifying a displaying line of the email message just prior to the one or more embedded images and calculating the approximate displaying location based on a display location of the displaying line.
  - 29. The computer-readable storage medium of claim 24, wherein a portion of the text included in the one or more embedded images comprises light text in the context of a dark background.
  - 30. The computer-readable storage medium of claim 24, wherein a portion of the text included in the one or more embedded images comprises dark text in the context of a light background.
  - 31. The computer-readable storage medium of claim 24, wherein the one or more abnormal factors include illegal base64 encoding, a plurality continues images within one HyperText Markup Language (HTML) part, lower entropy of frames in an animated Graphic Interchange Format (GIF) image or illegal chunk data of Portable Network Graphics (PNG) image.
  - 32. The computer-readable storage medium of claim 24, wherein image data associated with an embedded image of the one or more embedded images is sent with the email message.
  - 33. The computer-readable storage medium of claim 24, wherein image data associated with an embedded image of the one or more embedded images is retrieved once a recipient views the email message.
  - 34. The computer-readable storage medium of claim 24, wherein an embedded image of the one or more embedded images is contained within a file attached to the email message.
  - 35. The computer-readable storage medium of claim 34, wherein the attached file comprises a Portable Document Format (PDF) file, an Encapsulated PostScript file, a SWF file, a Windows Metafile file, an AutoCAD DXF file or a CorelDraw CDR file.
  - 36. The computer-readable storage medium of claim 24, wherein file formats of the one or more embedded images are selected from a group comprising Graphic Interchange Format (GIF), Joint Photographic Experts Group (JPEG) and Portable Network Graphics (PNG), Progressive Graphics File (PGF), Tagged Image File Format (TIFF), bit mapped format (BMP), HDP, WDP, XPM, MacOS-PICT, Irix-RGB, Multiresolution Seamless Image Database (MrSID), RAW format, vector format, Scalable Vector Graphics (SVG), Portable Document Format (PDF), Encapsulated PostScript, SWF, Windows Metafile, AutoCAD DXF and CorelDraw CDR.

37. An electronic mail (email) security system comprising:
- a non-transitory storage device having tangibly embodied thereon instructions associated with an anti-spam module; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the instructions associated with the anti-spam module to perform a method comprising;
  
  converting an embedded image of an email message to a binarized representation by performing thresholding on a grayscale representation of the embedded image;
  
  quantifying a number of text strings that are included in the embedded image by analyzing one or more blocks of the binarized representation with a text string measurement algorithm;
  
  classifying the email message as spam or clean based at least in part on the number of text strings; and
  
  wherein the one or more blocks comprise M×
  
  N virtual blocks and wherein the text string measurement algorithm employs equations having a general form as follows;
- View Dependent Claims (38, 39, 40, 41)
- - 38. The system of claim 37, wherein the embedded image is conveyed formatted in accordance with Graphic Interchange Format (GIF), Joint Photographic Experts Group (JPEG) or Portable Network Graphics (PNG).
  - 39. The system of claim 37, wherein the embedded image comprises an image contained within a file attached to the email message.
  - 40. The system of claim 38, wherein the method further comprises determining an approximate display location of an embedded image within an email message.
  - 41. The system of claim 38, wherein the method further comprises identifying existence of one or more abnormal factors associated with the embedded image.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Lu, Jun, Cheng, Jiandong
Primary Examiner(s)
Moore, Ian N
Assistant Examiner(s)
Nguyen, Thai

Application Number

US12/114,815
Publication Number

US 20090110233A1
Time in Patent Office

1,472 Days
Field of Search

709204-207
US Class Current

709/206
CPC Class Codes

G06Q 10/107 Computer-aided management o...

G06V 30/413 Classification of content, ...

Image spam filtering based on senders' intention analysis

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Image spam filtering based on senders' intention analysis

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links