Detection of e-mail threat acceleration
First Claim
1. A computer implemented method for detecting accelerating distribution of malicious email attachments, the method comprising:
- using a computer to perform steps comprising;
monitoring an incoming email stream;
identifying incoming email messages with suspicious attachments;
generating signatures of the suspicious attachments;
queuing the suspicious attachments for a hold time;
submitting a report to a correlation component, the report listing signatures identifying suspicious attachments and containing information indicating a number of instances of each identified suspicious email attachment received in a current reporting period;
receiving, from the correlation component, an indication of whether a current acceleration rate for an identified suspicious attachment is anomalous, the current acceleration rate for the identified suspicious attachment determined responsive to a comparison of a number of instances of the identified suspicious attachment received by a plurality of queuing components in the current reporting period to a number of instances of the identified suspicious attachment received by the queuing components in one or more prior reporting periods, the indication of whether the current acceleration rate for the identified suspicious attachment is anomalous determined responsive to the current acceleration rate exceeding a historical variance threshold, the historical variance threshold determined by calculating a historical variance of the number of instances of the identified suspicious email attachment received by the queuing components in the prior reporting periods; and
responsive to receiving an indication that the current acceleration rate for the identified suspicious attachment is anomalous;
determining whether the current acceleration rate for the identified suspicious attachment exceeds an acceleration tolerance threshold;
responsive to the current acceleration rate for the identified suspicious attachment exceeding the acceleration tolerance threshold, queuing instances of the suspicious attachment until the suspicious attachment instances are deleted or released by an administrator; and
responsive to the current acceleration rate for the identified suspicious attachment not exceeding the acceleration tolerance threshold;
increasing the hold time associated with the suspicious attachment; and
queuing instances of the suspicious attachment for the increased hold time associated with the suspicious attachment.
2 Assignments
0 Petitions
Accused Products
Abstract
A plurality of queuing components each monitor an incoming email stream, and identify incoming email messages with suspicious attachments. Each queuing component generates signatures of the suspicious attachments, and submits periodic reports to a correlation component. The reports list signatures and receipt times for suspicious attachments received since a last submitted report. The queuing component queues the suspicious attachments for a specified hold time, and further processes queued attachments based upon information concerning attachment acceleration rates received from the correlation component. The correlation component receives reports from the plurality of queuing components, and uses information in the submitted reports to maintain a system wide receipt history for each suspicious attachment. The correlation component uses the receipt histories to calculate receipt acceleration rates for suspicious attachments, which it provides to the queuing components, to be used to manage the queued attachments.
-
Citations
16 Claims
-
1. A computer implemented method for detecting accelerating distribution of malicious email attachments, the method comprising:
using a computer to perform steps comprising; monitoring an incoming email stream; identifying incoming email messages with suspicious attachments; generating signatures of the suspicious attachments; queuing the suspicious attachments for a hold time; submitting a report to a correlation component, the report listing signatures identifying suspicious attachments and containing information indicating a number of instances of each identified suspicious email attachment received in a current reporting period; receiving, from the correlation component, an indication of whether a current acceleration rate for an identified suspicious attachment is anomalous, the current acceleration rate for the identified suspicious attachment determined responsive to a comparison of a number of instances of the identified suspicious attachment received by a plurality of queuing components in the current reporting period to a number of instances of the identified suspicious attachment received by the queuing components in one or more prior reporting periods, the indication of whether the current acceleration rate for the identified suspicious attachment is anomalous determined responsive to the current acceleration rate exceeding a historical variance threshold, the historical variance threshold determined by calculating a historical variance of the number of instances of the identified suspicious email attachment received by the queuing components in the prior reporting periods; and responsive to receiving an indication that the current acceleration rate for the identified suspicious attachment is anomalous; determining whether the current acceleration rate for the identified suspicious attachment exceeds an acceleration tolerance threshold; responsive to the current acceleration rate for the identified suspicious attachment exceeding the acceleration tolerance threshold, queuing instances of the suspicious attachment until the suspicious attachment instances are deleted or released by an administrator; and responsive to the current acceleration rate for the identified suspicious attachment not exceeding the acceleration tolerance threshold; increasing the hold time associated with the suspicious attachment; and queuing instances of the suspicious attachment for the increased hold time associated with the suspicious attachment. - View Dependent Claims (2, 3, 4, 5)
-
6. A computer implemented method for detecting accelerating distribution of malicious email attachments, the method comprising:
using a computer to perform steps comprising; receiving reports from a plurality of queuing components, each report listing signatures identifying suspicious email attachments and containing information indicating a number of instances of each identified suspicious email attachment received by that queuing component in a current reporting period; calculating a current acceleration rate for a suspicious email attachment based on the reports from the plurality of queuing components, the current acceleration rate comparing a number of instances of an identified suspicious email attachment received by the queuing components in the current reporting period to a number of instances of the identified suspicious email attachment received by the queuing components in one or more prior reporting periods; determining whether the current acceleration rate for the suspicious email attachment is anomalous responsive to the current acceleration rate exceeding a historical variance threshold, the historical variance threshold determined by calculating a historical variance of the number of instances of the identified suspicious email attachment received by the queuing components in the prior reporting periods; and reporting the determination of whether the current acceleration rate for the suspicious email attachment is anomalous to queuing components; wherein, responsive to a determination that the current acceleration rate for the identified suspicious attachment is anomalous, the queuing components are adapted to; determine whether the current acceleration rate for the identified suspicious attachment exceeds an acceleration tolerance threshold; responsive to the current acceleration rate for the identified suspicious attachment exceeding the acceleration tolerance threshold, queue instances of the suspicious attachment until the suspicious attachment instances are deleted or released by an administrator; responsive to the current acceleration rate for the identified suspicious attachment not exceeding the acceleration tolerance threshold; increase the hold time associated with the suspicious attachment; and queue instances of the suspicious attachment for the increased hold time associated with the suspicious attachment. - View Dependent Claims (7, 8, 9)
-
10. A non-transitory computer readable medium, containing an executable computer program product for detecting accelerating distribution of malicious email attachments, the computer program product comprising:
-
program code for monitoring an incoming email stream; program code for identifying incoming email messages with suspicious attachments; program code for generating signatures of the suspicious attachments; program code for queuing the suspicious attachments for a hold time; program code for submitting a report to a correlation component, the report listing signatures identifying suspicious attachments and containing information indicating a number of instances of each identified suspicious email attachment received in a current reporting period; program code for receiving, from the correlation component, an indication of whether a current acceleration rate for an identified suspicious attachment is anomalous, the current acceleration rate for the identified suspicious attachment determined responsive to a comparison of a number of instances of the identified suspicious attachment received by a plurality of queuing components in the current reporting period to a number of instances of the identified suspicious attachment received by the queuing components in one or more prior reporting periods, the indication of whether the current acceleration rate for the identified suspicious attachment is anomalous determined responsive to the current acceleration rate exceeding a historical variance threshold, the historical variance threshold determined by calculating a historical variance of the number of instances of the identified suspicious email attachment received by the queuing components in the prior reporting periods; and program code for, responsive to receiving an indication that the current acceleration rate for the identified suspicious attachment is anomalous; determining whether the current acceleration rate for the identified suspicious attachment exceeds an acceleration tolerance threshold; responsive to the current acceleration rate for the identified suspicious attachment exceeding the acceleration tolerance threshold, queuing instances of the suspicious attachment until the suspicious attachment instances are deleted or released by an administrator; and responsive to the current acceleration rate for the identified suspicious attachment not exceeding the acceleration tolerance threshold; increasing the hold time associated with the suspicious attachment; and queuing instances of the suspicious attachment for the increased hold time associated with the suspicious attachment. - View Dependent Claims (11, 12)
-
-
13. A non-transitory computer readable medium containing an executable computer program product for detecting accelerating distribution of malicious email attachments, the computer program product comprising:
-
program code for receiving reports from a plurality of queuing components, each report listing signatures identifying suspicious email attachments and containing information indicating a number of instances of each identified suspicious email attachment received by that queuing component in a current reporting period; program code for calculating a current acceleration rate for a suspicious email attachment based on the reports from the plurality of queuing components, the current acceleration rate comparing a number of instances of an identified suspicious email attachment received by the queuing components in the current reporting period to a number of instances of the identified suspicious email attachment received by the queuing components in one or more prior reporting periods; program code for determining whether the current acceleration rate for the suspicious email attachment is anomalous responsive to the current acceleration rate exceeding a historical variance threshold, the historical variance threshold determined by calculating a historical variance of the number of instances of the identified suspicious email attachment received by the queuing components in the prior reporting periods; program code for reporting the determination of whether the current acceleration rate for the suspicious email attachment is anomalous to queuing components; and wherein, responsive to receiving an indication that the current acceleration rate for the identified suspicious attachment is anomalous, the queuing components are adapted to; determine whether the current acceleration rate for the identified suspicious attachment exceeds an acceleration tolerance threshold; responsive to the current acceleration rate for the identified suspicious attachment exceeding the acceleration tolerance threshold, queue instances of the suspicious attachment until the suspicious attachment instances are deleted or released by an administrator; and responsive to the current acceleration rate for the identified suspicious attachment not exceeding the acceleration tolerance threshold; increase the hold time associated with the suspicious attachment; and queue instances of the suspicious attachment for the increased hold time associated with the suspicious attachment. - View Dependent Claims (14, 15, 16)
-
Specification