Detection of e-mail threat acceleration

US 8,201,254 B1
Filed: 08/30/2005
Issued: 06/12/2012
Est. Priority Date: 08/30/2005
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting accelerating distribution of malicious email attachments, the method comprising:

using a computer to perform steps comprising;

monitoring an incoming email stream;

identifying incoming email messages with suspicious attachments;

generating signatures of the suspicious attachments;

queuing the suspicious attachments for a hold time;

submitting a report to a correlation component, the report listing signatures identifying suspicious attachments and containing information indicating a number of instances of each identified suspicious email attachment received in a current reporting period;

receiving, from the correlation component, an indication of whether a current acceleration rate for an identified suspicious attachment is anomalous, the current acceleration rate for the identified suspicious attachment determined responsive to a comparison of a number of instances of the identified suspicious attachment received by a plurality of queuing components in the current reporting period to a number of instances of the identified suspicious attachment received by the queuing components in one or more prior reporting periods, the indication of whether the current acceleration rate for the identified suspicious attachment is anomalous determined responsive to the current acceleration rate exceeding a historical variance threshold, the historical variance threshold determined by calculating a historical variance of the number of instances of the identified suspicious email attachment received by the queuing components in the prior reporting periods; and

responsive to receiving an indication that the current acceleration rate for the identified suspicious attachment is anomalous;

determining whether the current acceleration rate for the identified suspicious attachment exceeds an acceleration tolerance threshold;

responsive to the current acceleration rate for the identified suspicious attachment exceeding the acceleration tolerance threshold, queuing instances of the suspicious attachment until the suspicious attachment instances are deleted or released by an administrator; and

responsive to the current acceleration rate for the identified suspicious attachment not exceeding the acceleration tolerance threshold;

increasing the hold time associated with the suspicious attachment; and

queuing instances of the suspicious attachment for the increased hold time associated with the suspicious attachment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of queuing components each monitor an incoming email stream, and identify incoming email messages with suspicious attachments. Each queuing component generates signatures of the suspicious attachments, and submits periodic reports to a correlation component. The reports list signatures and receipt times for suspicious attachments received since a last submitted report. The queuing component queues the suspicious attachments for a specified hold time, and further processes queued attachments based upon information concerning attachment acceleration rates received from the correlation component. The correlation component receives reports from the plurality of queuing components, and uses information in the submitted reports to maintain a system wide receipt history for each suspicious attachment. The correlation component uses the receipt histories to calculate receipt acceleration rates for suspicious attachments, which it provides to the queuing components, to be used to manage the queued attachments.

Citations

16 Claims

1. A computer implemented method for detecting accelerating distribution of malicious email attachments, the method comprising:
- using a computer to perform steps comprising;
  
  monitoring an incoming email stream;
  
  identifying incoming email messages with suspicious attachments;
  
  generating signatures of the suspicious attachments;
  
  queuing the suspicious attachments for a hold time;
  
  submitting a report to a correlation component, the report listing signatures identifying suspicious attachments and containing information indicating a number of instances of each identified suspicious email attachment received in a current reporting period;
  
  receiving, from the correlation component, an indication of whether a current acceleration rate for an identified suspicious attachment is anomalous, the current acceleration rate for the identified suspicious attachment determined responsive to a comparison of a number of instances of the identified suspicious attachment received by a plurality of queuing components in the current reporting period to a number of instances of the identified suspicious attachment received by the queuing components in one or more prior reporting periods, the indication of whether the current acceleration rate for the identified suspicious attachment is anomalous determined responsive to the current acceleration rate exceeding a historical variance threshold, the historical variance threshold determined by calculating a historical variance of the number of instances of the identified suspicious email attachment received by the queuing components in the prior reporting periods; and
  
  responsive to receiving an indication that the current acceleration rate for the identified suspicious attachment is anomalous;
  
  determining whether the current acceleration rate for the identified suspicious attachment exceeds an acceleration tolerance threshold;
  
  responsive to the current acceleration rate for the identified suspicious attachment exceeding the acceleration tolerance threshold, queuing instances of the suspicious attachment until the suspicious attachment instances are deleted or released by an administrator; and
  
  responsive to the current acceleration rate for the identified suspicious attachment not exceeding the acceleration tolerance threshold;
  
  increasing the hold time associated with the suspicious attachment; and
  
  queuing instances of the suspicious attachment for the increased hold time associated with the suspicious attachment.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - releasing an email message stripped of the attachment into the email stream.
  - 3. The method of claim 1 wherein receiving the indication further comprises:
    - receiving, from the correlation component, a blacklist of signatures of attachments having anomalous current acceleration rates; and
      
      responsive to receiving an email with an attachment a signature of which is on the blacklist, quarantining that attachment.
  - 4. The method of claim 1 further comprising:
    - responsive to receiving an indication from the correlation component that the current acceleration rate for the identified suspicious email attachment is not anomalous, releasing the attachment into the email stream.
  - 5. The method of claim 1, wherein queuing instances of the suspicious attachment for an indefinite hold time comprises quarantining the instances of the suspicious attachment.

6. A computer implemented method for detecting accelerating distribution of malicious email attachments, the method comprising:
- using a computer to perform steps comprising;
  
  receiving reports from a plurality of queuing components, each report listing signatures identifying suspicious email attachments and containing information indicating a number of instances of each identified suspicious email attachment received by that queuing component in a current reporting period;
  
  calculating a current acceleration rate for a suspicious email attachment based on the reports from the plurality of queuing components, the current acceleration rate comparing a number of instances of an identified suspicious email attachment received by the queuing components in the current reporting period to a number of instances of the identified suspicious email attachment received by the queuing components in one or more prior reporting periods;
  
  determining whether the current acceleration rate for the suspicious email attachment is anomalous responsive to the current acceleration rate exceeding a historical variance threshold, the historical variance threshold determined by calculating a historical variance of the number of instances of the identified suspicious email attachment received by the queuing components in the prior reporting periods; and
  
  reporting the determination of whether the current acceleration rate for the suspicious email attachment is anomalous to queuing components;
  
  wherein, responsive to a determination that the current acceleration rate for the identified suspicious attachment is anomalous, the queuing components are adapted to;
  
  determine whether the current acceleration rate for the identified suspicious attachment exceeds an acceleration tolerance threshold;
  
  responsive to the current acceleration rate for the identified suspicious attachment exceeding the acceleration tolerance threshold, queue instances of the suspicious attachment until the suspicious attachment instances are deleted or released by an administrator;
  
  responsive to the current acceleration rate for the identified suspicious attachment not exceeding the acceleration tolerance threshold;
  
  increase the hold time associated with the suspicious attachment; and
  
  queue instances of the suspicious attachment for the increased hold time associated with the suspicious attachment.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein the reporting comprises:
    - responsive to receiving a query from a queuing component concerning an email attachment, returning a current acceleration rate concerning that attachment to the queuing component.
  - 8. The method of claim 6, wherein the reporting comprises:
    - adding a signature identifying the suspicious email attachment to a blacklist responsive to a determination that the current acceleration rate for the suspicious email attachment is anomalous; and
      
      distributing the blacklist to queuing components.
  - 9. The method of claim 6, wherein determining whether the current acceleration rate for the suspicious email attachment is anomalous further comprises:
    - comparing the current acceleration rate for the suspicious email attachment to a threshold based on a historical average acceleration for the suspicious email attachment; and
      
      evaluating whether the current acceleration rate is anomalous responsive to the comparison with the threshold.

10. A non-transitory computer readable medium, containing an executable computer program product for detecting accelerating distribution of malicious email attachments, the computer program product comprising:
- program code for monitoring an incoming email stream;
  
  program code for identifying incoming email messages with suspicious attachments;
  
  program code for generating signatures of the suspicious attachments;
  
  program code for queuing the suspicious attachments for a hold time;
  
  program code for submitting a report to a correlation component, the report listing signatures identifying suspicious attachments and containing information indicating a number of instances of each identified suspicious email attachment received in a current reporting period;
  
  program code for receiving, from the correlation component, an indication of whether a current acceleration rate for an identified suspicious attachment is anomalous, the current acceleration rate for the identified suspicious attachment determined responsive to a comparison of a number of instances of the identified suspicious attachment received by a plurality of queuing components in the current reporting period to a number of instances of the identified suspicious attachment received by the queuing components in one or more prior reporting periods, the indication of whether the current acceleration rate for the identified suspicious attachment is anomalous determined responsive to the current acceleration rate exceeding a historical variance threshold, the historical variance threshold determined by calculating a historical variance of the number of instances of the identified suspicious email attachment received by the queuing components in the prior reporting periods; and
  
  program code for, responsive to receiving an indication that the current acceleration rate for the identified suspicious attachment is anomalous;
  
  determining whether the current acceleration rate for the identified suspicious attachment exceeds an acceleration tolerance threshold;
  
  responsive to the current acceleration rate for the identified suspicious attachment exceeding the acceleration tolerance threshold, queuing instances of the suspicious attachment until the suspicious attachment instances are deleted or released by an administrator; and
  
  responsive to the current acceleration rate for the identified suspicious attachment not exceeding the acceleration tolerance threshold;
  
  increasing the hold time associated with the suspicious attachment; and
  
  queuing instances of the suspicious attachment for the increased hold time associated with the suspicious attachment.
- View Dependent Claims (11, 12)
- - 11. The computer readable medium containing the computer program product of claim 10 wherein receiving the indication further comprises:
    - receiving, from the correlation component, a blacklist of signatures of attachments having anomalous current acceleration rates; and
      
      responsive to receiving an email with an attachment a signature of which is on the blacklist, quarantining that attachment.
  - 12. The computer readable medium containing the computer program product of claim 10 further comprising:
    - program code for, responsive to receiving an indication from the correlation component that the current acceleration rate for the identified suspicious email attachment is not anomalous, releasing the attachment into the email stream.

13. A non-transitory computer readable medium containing an executable computer program product for detecting accelerating distribution of malicious email attachments, the computer program product comprising:
- program code for receiving reports from a plurality of queuing components, each report listing signatures identifying suspicious email attachments and containing information indicating a number of instances of each identified suspicious email attachment received by that queuing component in a current reporting period;
  
  program code for calculating a current acceleration rate for a suspicious email attachment based on the reports from the plurality of queuing components, the current acceleration rate comparing a number of instances of an identified suspicious email attachment received by the queuing components in the current reporting period to a number of instances of the identified suspicious email attachment received by the queuing components in one or more prior reporting periods;
  
  program code for determining whether the current acceleration rate for the suspicious email attachment is anomalous responsive to the current acceleration rate exceeding a historical variance threshold, the historical variance threshold determined by calculating a historical variance of the number of instances of the identified suspicious email attachment received by the queuing components in the prior reporting periods;
  
  program code for reporting the determination of whether the current acceleration rate for the suspicious email attachment is anomalous to queuing components; and
  
  wherein, responsive to receiving an indication that the current acceleration rate for the identified suspicious attachment is anomalous, the queuing components are adapted to;
  
  determine whether the current acceleration rate for the identified suspicious attachment exceeds an acceleration tolerance threshold;
  
  responsive to the current acceleration rate for the identified suspicious attachment exceeding the acceleration tolerance threshold, queue instances of the suspicious attachment until the suspicious attachment instances are deleted or released by an administrator; and
  
  responsive to the current acceleration rate for the identified suspicious attachment not exceeding the acceleration tolerance threshold;
  
  increase the hold time associated with the suspicious attachment; and
  
  queue instances of the suspicious attachment for the increased hold time associated with the suspicious attachment.
- View Dependent Claims (14, 15, 16)
- - 14. The computer readable medium containing the computer program product of claim 13, wherein the program code for reporting comprises:
    - program code for, responsive to receiving a query from a queuing component concerning an email attachment, returning a current acceleration rate concerning that attachment to the queuing component.
  - 15. The computer readable medium containing the computer program product of claim 13, wherein the reporting comprises:
    - adding a signature identifying the suspicious email attachment to a blacklist responsive to a determination that the current acceleration rate for the suspicious email attachment is anomalous; and
      
      distributing the blacklist to queuing components.
  - 16. The computer readable medium containing the computer program product of claim 13, wherein determining whether the current acceleration rate for the suspicious email attachment is anomalous further comprises:
    - comparing the current acceleration rate for the suspicious email attachment to a threshold based on a historical average acceleration for the suspicious email attachment; and
      
      evaluating whether the current acceleration rate is anomalous responsive to the comparison with the threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Wilhelm, Jeffrey, Nachenberg, Carey
Primary Examiner(s)
Davis, Zachary A
Assistant Examiner(s)
Pan, Joseph

Application Number

US11/214,631
Time in Patent Office

2,478 Days
Field of Search

713/1, 713/2, 713/188, 713/194, 380/200, 380/201, 380/255, 380/277, 726/2, 726 23- 25, 709/224, 709/225
US Class Current

726/24
CPC Class Codes

H04L 51/212 using filtering or selectiv...

H04L 63/1416 Event detection, e.g. attac...

Detection of e-mail threat acceleration

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of e-mail threat acceleration

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links