Stopping and remediating outbound messaging abuse

US 8,363,793 B2
Filed: 04/20/2011
Issued: 01/29/2013
Est. Priority Date: 02/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

extracting behavior data from outbound messages originated from a subscriber account, wherein the behavior data includes attributes that are indicative of misuse of the subscriber account;

building a profile for the subscriber account based on the behavior data, the profile Including long-term outbound message flow data associated with the subscriber account;

tracking said behavior data; and

detecting a behavior-based anomaly for the outbound messages by comparing recent outbound messages originated from the subscriber account to the long-term outbound message flow data of the profile of the subscriber account to detect changes in the recent outbound messages in comparison to the profile of the subscriber account.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for allowing subscriber message sending profiles to be maintained and used in conjunction with behavior-based anomaly detection techniques and traditional content-based spam signature filtering to enable application of appropriate message disposition policies to outbound subscriber message traffic. According to one embodiment, subscriber profiles are constructed for multiple subscriber accounts associated with a service provider based on outbound message flow originated from the subscriber accounts. Then, possible subscriber account misuse may be discovered by performing behavior-based anomaly detection, including a comparison of a subscriber profile associated with the subscriber account with recent subscriber account usage information, to identify one or more behavioral anomalies in outbound message flow originated from a subscriber account, the behavior-based anomaly detection.

158 Citations

24 Claims

1. A method comprising:
- extracting behavior data from outbound messages originated from a subscriber account, wherein the behavior data includes attributes that are indicative of misuse of the subscriber account;
  
  building a profile for the subscriber account based on the behavior data, the profile Including long-term outbound message flow data associated with the subscriber account;
  
  tracking said behavior data; and
  
  detecting a behavior-based anomaly for the outbound messages by comparing recent outbound messages originated from the subscriber account to the long-term outbound message flow data of the profile of the subscriber account to detect changes in the recent outbound messages in comparison to the profile of the subscriber account.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising determining reputation data for the subscriber account based on the detected behavior-based anomaly, wherein the reputation data is added to the profile to determine a reputation score, and wherein if the reputation score falls below a threshold, then any subsequent outbound messages from the subscriber account are redirected.
  - 3. The method of claim 1, further comprising determining reputation data for the subscriber account based on the detected behavior-based anomaly, wherein the reputation data is added to the profile to determine a reputation score, and wherein if the reputation score falls below a threshold, then any subsequent outbound messages from the subscriber account are redirected for a specific time interval.
  - 4. The method of claim 1 wherein said behavior data comprises at least one of a group consisting of:
    - metrics relating to a size of the outbound messages, metrics relating to a number of recipients specified in the outbound messages, metrics relating to presence of attachments to the outbound messages, metrics relating to timing of the outbound messages, a total number of the outbound messages, a total number of the outbound messages suspected of being spam, a total number of the outbound messages suspected of containing a virus, an average number of the outbound messages, an average size of the outbound messages, a largest size of the outbound messages, a maximum size permitted for the outbound messages, an average number of recipients for the outbound messages, a largest number of recipients for the outbound messages, a maximum number of recipients permitted for the outbound messages, a frequency of repetition of recipients for the outbound messages, an address format employed for the outbound messages, an average number of message header lines for the outbound messages, an average Bayesian spam filter score for the outbound messages, a number of the outbound messages originated with attachments, a number of the outbound messages originated with particular attachment types, a number of the outbound messages originated by a particular mailer, a number of the outbound messages containing a particular character set, and standard deviations of various measurements of the outbound messages.
  - 5. The method of claim 1 further comprising alerting a network operations analyst of potential account misuse based on the detected behavior-based anomaly.
  - 6. The method of claim 2 comprising applying a predetermined set of message disposition policies to messages originated from the subscriber account based upon the reputation score.
  - 7. The method of claim 2 further comprising:
    - combining said reputation data with content-based spam signature filtering to construct combined reputation data for the subscriber account;
      
      taking an immediate action on one of the outbound messages in response to the combined reputation data; and
      
      taking a long term action on the subscriber account in response to said combined reputation data.
  - 8. The method of claim 2 wherein the building of the profile is performed until there is sufficient behavior data to identify an anomaly prior to the detecting of the behavior-based anomalies.

9. A sender reputation gateway system, comprising:
- a service and response system that services and responds to requests from at least one subscriber account;
  
  a behavior data extraction system that extracts behavior data of said at least one subscriber account from outbound messages originated from the subscriber account, the behavior data including attributes of the subscriber account that are indicative of misuse of the subscriber account;
  
  a profile builder system that builds a profile for the subscriber account based on the behavior data extracted from the outbound messages, the subscriber profile including long-term outbound messages flow data associated with subscriber account;
  
  a tracking system that tracks the behavior data; and
  
  an anomaly detection system that detects behavior-based anomalies for the outbound messages by comparing recent outbound messages originated from the subscriber account to the long-term outbound message flow data of the profile of the subscriber account to detect changes in the recent outbound messages in comparison to the profile of the subscriber account.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The sender reputation gateway system of claim 9, further comprising:
    - a reputation data determination system that determines reputation data for the subscriber account based on the detected behavior-based anomalies, wherein the reputation data is added to the profile to determine a reputation score, and wherein if the reputation score falls below a threshold, then any subsequent outbound messages from the subscriber account are redirected.
  - 11. The sender reputation gateway system of claim 9, further comprising:
    - a reputation data determination system that determines reputation data for the subscriber account based on the detected behavior-based anomalies, wherein the reputation data is added to the profile to determine a reputation score, and wherein if the reputation score falls below a threshold, then any subsequent outbound messages from the subscriber account are redirected for a specific time interval.
  - 12. The sender reputation gateway system of claim 9 wherein said behavior data comprises at least one of a group consisting of:
    - metrics relating to a size of the outbound messages, metrics relating to a number of recipients specified in the outbound messages, metrics relating to presence of attachments to the outbound messages, metrics relating to timing of the outbound messages, a total number of the outbound messages, a total number of the outbound messages suspected of being spam, a total number of the outbound messages suspected of containing a virus, an average number of the outbound messages, an average size of the outbound messages, a largest size of the outbound messages, a maximum size permitted for the outbound messages, an average number of recipients for the outbound messages, a largest number of recipients for the outbound messages, a maximum number of recipients permitted for the outbound messages, a frequency of repetition of recipients for the outbound messages, an address format employed for the outbound messages, an average number of message header lines for the outbound messages, an average Bayesian spam filter score for the outbound messages, a number of the outbound messages originated with attachments, a number of the outbound messages originated with particular attachment types, a number of the outbound messages originated by a particular mailer, a number of the outbound messages containing a particular character set, and standard deviations of various measurements of the outbound messages.
  - 13. The sender reputation gateway system of claim 9 further comprising an alert system that alerts a network operations analyst of potential subscriber account misuse based on the behavior-based anomalies.
  - 14. The sender reputation gateway system of claim 10 further comprising a disposition policy system that applies a predetermined set of message disposition policies to the messages originated by the subscriber account based upon the reputation data for the subscriber account.
  - 15. The sender reputation gateway system of claim 10 wherein the reputation data determination system further combines the reputation data with content-based spam signature filtering to construct combined reputation data for the subscriber account;
    - takes an immediate action on a particular message originated by the subscriber account in response to the combined reputation data; and
      
      takes a long term action on the subscriber account in response to the combined reputation data.
  - 16. The sender reputation gateway system of claim 10 wherein the profile builder system operates until there is sufficient behavior data to identify anomalies prior to operating the anomaly detection system.

17. Logic encoded in one or more tangible media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- extracting behavior data from outbound messages originated from a subscriber account, wherein the behavior data includes attributes that are indicative of misuse of the subscriber account;
  
  building a profile for the subscriber account based on the behavior data, the subscriber profile including long-term outbound message flow data associated with the subscriber account;
  
  tracking said behavior data; and
  
  detecting a behavior-based anomaly for the outbound messages by comparing recent outbound messages originated from the subscriber account to the long-term outbound message flow data of the profile of the subscriber account to detect changes in the recent outbound messages in comparison to the profile of the subscriber account.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The encoded logic of claim 17, further comprising determining reputation data for the subscriber account based on the detected behavior-based anomaly, wherein the reputation data is added to the profile to determine a reputation score, and wherein if the reputation score falls below a threshold, then any subsequent outbound messages from the subscriber account are redirected.
  - 19. The encoded logic of claim 17, further comprising determining reputation data for the subscriber account based on the detected behavior-based anomaly, wherein the reputation data is added to the profile to determine a reputation score, and wherein if the reputation score falls below a threshold, then any subsequent outbound messages from the subscriber account are redirected for a specific time interval.
  - 20. The encoded logic of claim 18 wherein said behavior data comprises at least one of a group consisting of:
    - metrics relating to a size of the outbound messages, metricscrelating to a number of recipients specified in the outbound messages, metrics relating to presence of attachments to the outbound messages, metrics relating to timing of the outbound messages, a total number of the outbound messages, a total number of the outbound messages suspected of being spam, a total number of the outbound messages suspected of containing a virus, an average number of the outbound messages, an average size of the outbound messages, a largest size of the outbound messages, a maximum size permitted for the outbound messages, an average number of recipients for the outbound messages, a largest number of recipients for the outbound messages, a maximum number of recipients permitted for the outbound messages, a frequency of repetition of recipients for the outbound messages, an address format employed for the outbound messages, an average number of message header lines for the outbound messages, an average Bayesian spam filter score for the outbound messages, a number of the outbound messages originated with attachments, a number of the outbound messages originated with particular attachment types, a number of the outbound messages originated by a particular mailer, a number of the outbound messages containing a particular character set, and standard deviations of various measurements of the outbound messages.
  - 21. The encoded logic of claim 17 further comprising alerting a network operations analyst of potential account misuse based on the detected behavior-based anomaly.
  - 22. The encoded logic of claim 18 comprising applying a predetermined set of message disposition policies to messages originated from the subscriber account based upon the reputation score.
  - 23. The encoded logic of claim 18 further comprising:
    - combining said reputation data with content-based spam signature filtering to construct combined reputation data for the subscriber account;
      
      taking an immediate action on one of the outbound messages in response to the combined reputation data; and
      
      taking a long term action on the subscriber account in response to said combined reputation data.
  - 24. The encoded logic of claim 18 wherein the building of the profile is performed until there is sufficient behavior data to identify an anomaly prior to the detecting of the behavior-based anomalies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Chasin, C. Scott, Lin, Wei, Kincaid-Smith, Paul
Primary Examiner(s)
ISLAM, MOHAMMAD K

Application Number

US13/091,011
Publication Number

US 20110197275A1
Time in Patent Office

650 Days
Field of Search

709206-207, 379 8801- 8823, 379/114.14, 379/145, 379/127.02
US Class Current

379/88.09
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Stopping and remediating outbound messaging abuse

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

158 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Stopping and remediating outbound messaging abuse

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

158 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links