Subscriber reputation filtering method for analyzing subscriber activity and detecting account misuse

US 8,484,295 B2
Filed: 12/21/2005
Issued: 07/09/2013
Est. Priority Date: 12/21/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving messages originated by at least one subscriber account;

evaluating the messages in order to develop a profile for the at least one subscriber account, wherein the profile includes information associated with content evaluation for the messages, and further includes metrics including a total number of e-mail messages originated from the at least one subscriber account within a predefined time interval, and an average number of recipients to which messages originated by the subscriber are addressed;

generating behavior data for the at least one subscriber account to be included in the profile, wherein behavior data generated from a single e-mail message originated from the at least one subscriber account is combined with long-term behavior data in the profile to determine if the at least one subscriber account'"'"'s privileges should be reduced;

detecting behavior-based anomalies for the at least one subscriber account, wherein the behavior-based anomalies include attempting to communicate a large number of new e-mail messages in comparison to messaging patterns related to the behavior data being maintained in the profile, and include detecting an abnormal DNS query pattern; and

determining reputation data for the at least one subscriber account based, at least in part, on the content evaluation and on said detected behavior-based anomalies, and wherein the behavior-based anomalies cause a blind carbon copy recipient to be added to the new email messages and, further, cause the new e-mail messages to be redirected to a destination for which they were not originally intended, and wherein a trustworthiness rating included in the profile is reduced as a result of detecting the behavior-based anomalies.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for allowing subscriber message sending profiles to be maintained and used in conjunction with behavior-based anomaly detection techniques and traditional content-based spam signature filtering to enable application of appropriate message disposition policies to outbound subscriber message traffic. According to one embodiment, subscriber profiles are constructed for multiple subscriber accounts associated with a service provider based on outbound message flow originated from the subscriber accounts. Then, possible subscriber account misuse may be discovered by performing behavior-based anomaly detection, including a comparison of a subscriber profile associated with the subscriber account with recent subscriber account usage information, to identify one or more behavioral anomalies in outbound message flow originated from a subscriber account, the behavior-based anomaly detection.

Citations

12 Claims

1. A computer-implemented method comprising:
- receiving messages originated by at least one subscriber account;
  
  evaluating the messages in order to develop a profile for the at least one subscriber account, wherein the profile includes information associated with content evaluation for the messages, and further includes metrics including a total number of e-mail messages originated from the at least one subscriber account within a predefined time interval, and an average number of recipients to which messages originated by the subscriber are addressed;
  
  generating behavior data for the at least one subscriber account to be included in the profile, wherein behavior data generated from a single e-mail message originated from the at least one subscriber account is combined with long-term behavior data in the profile to determine if the at least one subscriber account'"'"'s privileges should be reduced;
  
  detecting behavior-based anomalies for the at least one subscriber account, wherein the behavior-based anomalies include attempting to communicate a large number of new e-mail messages in comparison to messaging patterns related to the behavior data being maintained in the profile, and include detecting an abnormal DNS query pattern; and
  
  determining reputation data for the at least one subscriber account based, at least in part, on the content evaluation and on said detected behavior-based anomalies, and wherein the behavior-based anomalies cause a blind carbon copy recipient to be added to the new email messages and, further, cause the new e-mail messages to be redirected to a destination for which they were not originally intended, and wherein a trustworthiness rating included in the profile is reduced as a result of detecting the behavior-based anomalies.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising:
    - providing an alert of potential subscriber account misuse based on said detected behavior-based anomalies.
  - 3. The method of claim 1, further comprising:
    - applying a predetermined set of message disposition policies to the new messages originated by said the subscriber account based on the reputation data.
  - 4. The method of claim 1, further comprising:
    - determining an immediate action with regard to a particular message originated by the subscriber account; and
      
      determining a long term action with regard to the subscriber account.

5. A gateway, comprising:
- at least one hardware processor;
  
  a service and response system that services and responds to requests from a subscriber account, wherein the gateway is configured for;
  
  receiving messages originated by the subscriber account;
  
  evaluating the messages in order to develop a profile for the subscriber account, wherein the profile includes information associated with content evaluation for the messages, and further includes metrics including a total number of e-mail messages originated from the subscriber account within a predefined time interval, and an average number of recipients to which messages originated by the subscriber are addressed;
  
  generating behavior data for the subscriber account to be included in the profile, wherein behavior data generated from a single e-mail message originated from the subscriber account is combined with long-term behavior data in the profile to determine if the subscriber account'"'"'s privileges should be reduced;
  
  detecting behavior-based anomalies for the subscriber account, wherein the behavior-based anomalies include attempting to communicate a large number of new e-mail messages in comparison to messaging patterns related to the behavior data being maintained in the profile, and include detecting an abnormal DNS query pattern; and
  
  determining reputation data for the subscriber account based, at least in part, on the content evaluation and on said detected behavior-based anomalies, and wherein the behavior-based anomalies cause a blind carbon copy recipient to be added to the new email messages and, further, cause the new e-mail messages to be redirected to a destination for which they were not originally intended, and wherein a trustworthiness rating included in the profile is reduced as a result of detecting the behavior-based anomalies.
- View Dependent Claims (6, 7, 8)
- - 6. The gateway of claim 5, further comprising:
    - an alert system that provides an alert of potential subscriber account misuse based on said detected behavior-based anomalies.
  - 7. The gateway of claim 5, further comprising:
    - a disposition policy system that applies a predetermined set of message disposition policies to the new messages originated by the subscriber account based upon said determined reputation data for the subscriber account.
  - 8. The gateway of claim 5, wherein the gateway is further configured for:
    - determining an immediate action with regard to a particular message originated by the subscriber account; and
      
      determining a long term action for the subscriber account.

9. A machine-readable non-transitory medium that stores instructions for a computer system to perform operations, comprising:
- receiving messages originated by at least one subscriber account;
  
  evaluating the messages in order to develop a profile for the at least one subscriber account, wherein the profile includes information associated with content evaluation for the messages, and further includes metrics including a total number of e-mail messages originated from the at least one subscriber account within a predefined time interval, and an average number of recipients to which messages originated by the at least one subscriber account are addressed;
  
  generating behavior data for the at least one subscriber account to be included in the profile, wherein behavior data generated from a single e-mail message originated from the at least one subscriber account is combined with long-term behavior data in the profile to determine if the at least one subscriber account'"'"'s privileges should be reduced;
  
  detecting behavior-based anomalies for the at least one subscriber account, wherein the behavior-based anomalies include attempting to communicate a large number of new e-mail messages in comparison to messaging patterns related to the behavior data being maintained in the profile, and include detecting an abnormal DNS query pattern; and
  
  determining reputation data for the at least one subscriber account based, at least in part, on the content evaluation and on said detected behavior-based anomalies, and wherein the behavior-based anomalies cause a blind carbon copy recipient to be added to the new email messages and, further, cause the new e-mail messages to be redirected to a destination for which they were not originally intended, and wherein a trustworthiness rating included in the profile is reduced as a result of detecting the behavior-based anomalies.
- View Dependent Claims (10, 11, 12)
- - 10. The machine-readable medium of claim 9, wherein an alert is provided based on said detected behavior-based anomalies.
  - 11. The machine-readable medium of claim 9, further comprising:
    - applying a predetermined set of message disposition policies to the new messages originated by the subscriber account based upon said determined reputation data for the subscriber account.
  - 12. The machine-readable medium of claim 9, further comprising:
    - determining an immediate action with regard to a particular message originated by the subscriber account; and
      
      determining a long term action with regard to the subscriber account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Chasin, C. Scott, Lin, Wei, Kincaid-Smith, Paul
Primary Examiner(s)
Keehn, Richard G

Application Number

US11/315,480
Publication Number

US 20130041955A1
Time in Patent Office

2,757 Days
Field of Search

709/206
US Class Current

709/206
CPC Class Codes

H04L 51/212 using filtering or selectiv...

H04L 63/1425 Traffic logging, e.g. anoma...

Subscriber reputation filtering method for analyzing subscriber activity and detecting account misuse

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Subscriber reputation filtering method for analyzing subscriber activity and detecting account misuse

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links