Subscriber reputation filtering method for analyzing subscriber activity and detecting account misuse
First Claim
1. A computer-implemented method comprising:
- receiving messages originated by at least one subscriber account;
evaluating the messages in order to develop a profile for the at least one subscriber account, wherein the profile includes information associated with content evaluation for the messages, and further includes metrics including a total number of e-mail messages originated from the at least one subscriber account within a predefined time interval, and an average number of recipients to which messages originated by the subscriber are addressed;
generating behavior data for the at least one subscriber account to be included in the profile, wherein behavior data generated from a single e-mail message originated from the at least one subscriber account is combined with long-term behavior data in the profile to determine if the at least one subscriber account'"'"'s privileges should be reduced;
detecting behavior-based anomalies for the at least one subscriber account, wherein the behavior-based anomalies include attempting to communicate a large number of new e-mail messages in comparison to messaging patterns related to the behavior data being maintained in the profile, and include detecting an abnormal DNS query pattern; and
determining reputation data for the at least one subscriber account based, at least in part, on the content evaluation and on said detected behavior-based anomalies, and wherein the behavior-based anomalies cause a blind carbon copy recipient to be added to the new email messages and, further, cause the new e-mail messages to be redirected to a destination for which they were not originally intended, and wherein a trustworthiness rating included in the profile is reduced as a result of detecting the behavior-based anomalies.
15 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are provided for allowing subscriber message sending profiles to be maintained and used in conjunction with behavior-based anomaly detection techniques and traditional content-based spam signature filtering to enable application of appropriate message disposition policies to outbound subscriber message traffic. According to one embodiment, subscriber profiles are constructed for multiple subscriber accounts associated with a service provider based on outbound message flow originated from the subscriber accounts. Then, possible subscriber account misuse may be discovered by performing behavior-based anomaly detection, including a comparison of a subscriber profile associated with the subscriber account with recent subscriber account usage information, to identify one or more behavioral anomalies in outbound message flow originated from a subscriber account, the behavior-based anomaly detection.
-
Citations
12 Claims
-
1. A computer-implemented method comprising:
-
receiving messages originated by at least one subscriber account; evaluating the messages in order to develop a profile for the at least one subscriber account, wherein the profile includes information associated with content evaluation for the messages, and further includes metrics including a total number of e-mail messages originated from the at least one subscriber account within a predefined time interval, and an average number of recipients to which messages originated by the subscriber are addressed; generating behavior data for the at least one subscriber account to be included in the profile, wherein behavior data generated from a single e-mail message originated from the at least one subscriber account is combined with long-term behavior data in the profile to determine if the at least one subscriber account'"'"'s privileges should be reduced; detecting behavior-based anomalies for the at least one subscriber account, wherein the behavior-based anomalies include attempting to communicate a large number of new e-mail messages in comparison to messaging patterns related to the behavior data being maintained in the profile, and include detecting an abnormal DNS query pattern; and determining reputation data for the at least one subscriber account based, at least in part, on the content evaluation and on said detected behavior-based anomalies, and wherein the behavior-based anomalies cause a blind carbon copy recipient to be added to the new email messages and, further, cause the new e-mail messages to be redirected to a destination for which they were not originally intended, and wherein a trustworthiness rating included in the profile is reduced as a result of detecting the behavior-based anomalies. - View Dependent Claims (2, 3, 4)
-
-
5. A gateway, comprising:
-
at least one hardware processor; a service and response system that services and responds to requests from a subscriber account, wherein the gateway is configured for; receiving messages originated by the subscriber account; evaluating the messages in order to develop a profile for the subscriber account, wherein the profile includes information associated with content evaluation for the messages, and further includes metrics including a total number of e-mail messages originated from the subscriber account within a predefined time interval, and an average number of recipients to which messages originated by the subscriber are addressed; generating behavior data for the subscriber account to be included in the profile, wherein behavior data generated from a single e-mail message originated from the subscriber account is combined with long-term behavior data in the profile to determine if the subscriber account'"'"'s privileges should be reduced; detecting behavior-based anomalies for the subscriber account, wherein the behavior-based anomalies include attempting to communicate a large number of new e-mail messages in comparison to messaging patterns related to the behavior data being maintained in the profile, and include detecting an abnormal DNS query pattern; and determining reputation data for the subscriber account based, at least in part, on the content evaluation and on said detected behavior-based anomalies, and wherein the behavior-based anomalies cause a blind carbon copy recipient to be added to the new email messages and, further, cause the new e-mail messages to be redirected to a destination for which they were not originally intended, and wherein a trustworthiness rating included in the profile is reduced as a result of detecting the behavior-based anomalies. - View Dependent Claims (6, 7, 8)
-
-
9. A machine-readable non-transitory medium that stores instructions for a computer system to perform operations, comprising:
-
receiving messages originated by at least one subscriber account; evaluating the messages in order to develop a profile for the at least one subscriber account, wherein the profile includes information associated with content evaluation for the messages, and further includes metrics including a total number of e-mail messages originated from the at least one subscriber account within a predefined time interval, and an average number of recipients to which messages originated by the at least one subscriber account are addressed; generating behavior data for the at least one subscriber account to be included in the profile, wherein behavior data generated from a single e-mail message originated from the at least one subscriber account is combined with long-term behavior data in the profile to determine if the at least one subscriber account'"'"'s privileges should be reduced; detecting behavior-based anomalies for the at least one subscriber account, wherein the behavior-based anomalies include attempting to communicate a large number of new e-mail messages in comparison to messaging patterns related to the behavior data being maintained in the profile, and include detecting an abnormal DNS query pattern; and determining reputation data for the at least one subscriber account based, at least in part, on the content evaluation and on said detected behavior-based anomalies, and wherein the behavior-based anomalies cause a blind carbon copy recipient to be added to the new email messages and, further, cause the new e-mail messages to be redirected to a destination for which they were not originally intended, and wherein a trustworthiness rating included in the profile is reduced as a result of detecting the behavior-based anomalies. - View Dependent Claims (10, 11, 12)
-
Specification