Method and system for using spam e-mail honeypots to identify potential malware containing e-mails
First Claim
1. A computing system implemented process for employing honeypot systems to identify potential malware containing messages comprising:
- providing one or more honeypot computing systems;
providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
using one or more processors associated with one or more computing systems to perform a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems;
as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails;
using one or more processors associated with one or more computing systems to extract a feature or feature value associated with one or more of the identified potential malware containing e-mails, wherein the identified potential malware containing e-mails comprise various respective sets of feature or feature values, each set of feature values comprising a plurality of individual feature values, wherein a plurality of the identified potential malware containing e-mails have at least one individual feature value in common;
defining a burst threshold for the individual feature or feature value such that when the individual feature or feature value occurs in a number of emails exceeding the burst threshold number of times in a defined period of time, the feature or feature value is considered an indicator of malware containing e-mail;
using one or more processors associated with one or more computing systems to detect that the extracted feature or feature value occurs in a number of emails more than the burst threshold number of times in the defined period of time;
responsive to the detection, transforming a status of the individual feature or feature value from a first feature status into a status of suspicious e-mail parameter;
using one or more processors associated with one or more computing systems to distribute the suspicious e-mail parameter to one or more security systems or one or more e-mail systems for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the one or more e-mail systems; and
determining that the suspicious e-mail parameter has not been observed within a predefined number of e-mails within a predefined time frame, and transforming, as a result of the determination, the suspicious e-mail parameter back to the status of a feature.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for employing honeypot systems to identify potential malware containing messages whereby a decoy system to receive illegitimate e-mails is established. E-mails sent to the spam e-mail honeypot decoy are initially scanned/filtered and e-mails that are not considered possible malware containing e-mails are filtered out while the remaining e-mails sent to the spam e-mail honeypot decoy are identified as potential malware containing e-mails. One or more features, and/or feature values, of the identified e-mails are then identified, extracted and ranked. Once a given feature, and/or feature value, occurs more than a burst threshold number of times, the status of the given feature, and/or feature value, is transformed to that of suspicious e-mail parameter.
-
Citations
20 Claims
-
1. A computing system implemented process for employing honeypot systems to identify potential malware containing messages comprising:
-
providing one or more honeypot computing systems; providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems; receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems; using one or more processors associated with one or more computing systems to perform a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems; as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails; using one or more processors associated with one or more computing systems to extract a feature or feature value associated with one or more of the identified potential malware containing e-mails, wherein the identified potential malware containing e-mails comprise various respective sets of feature or feature values, each set of feature values comprising a plurality of individual feature values, wherein a plurality of the identified potential malware containing e-mails have at least one individual feature value in common; defining a burst threshold for the individual feature or feature value such that when the individual feature or feature value occurs in a number of emails exceeding the burst threshold number of times in a defined period of time, the feature or feature value is considered an indicator of malware containing e-mail; using one or more processors associated with one or more computing systems to detect that the extracted feature or feature value occurs in a number of emails more than the burst threshold number of times in the defined period of time; responsive to the detection, transforming a status of the individual feature or feature value from a first feature status into a status of suspicious e-mail parameter; using one or more processors associated with one or more computing systems to distribute the suspicious e-mail parameter to one or more security systems or one or more e-mail systems for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the one or more e-mail systems; and determining that the suspicious e-mail parameter has not been observed within a predefined number of e-mails within a predefined time frame, and transforming, as a result of the determination, the suspicious e-mail parameter back to the status of a feature. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for employing honeypot systems to identify potential malware containing messages comprising:
-
one or more honeypot computing systems; at least one computing system; at least one e-mail system; at least one processor associated with the at least one computing system, the at least one processor associated with the at least one computing system executing at least part of a computing system implemented process for employing honeypot systems to identify potential malware containing messages, the computing system implemented process for employing honeypot systems to identify potential malware containing messages comprising; providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems; receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems; using the at least one processor associated with the at least one computing system to perform a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems; as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails; using the at least one processor associated with the at least one computing system to extract a feature or feature value associated with one or more of the identified potential malware containing e-mails, wherein the identified potential malware containing e-mails comprise various respective sets of feature or feature values, each set of feature values comprising a plurality of individual feature values, wherein a plurality of the identified potential malware containing e-mails have at least one individual feature value in common; defining a burst threshold for the individual feature or feature value such that when the individual feature or feature value occurs in a number of emails exceeding the burst threshold number of times in a defined period of time, the feature or feature value is considered an indicator of malware containing e-mail; using the at least one processor associated with the at least one computing system to detect that the extracted feature or feature value occurs in a number of emails more than the burst threshold number of times in the defined period of time; responsive to the detection, transforming a status of the individual feature or feature value from a first feature status into a status of suspicious e-mail parameter; using the at least one processor associated with the at least one computing system to distribute the suspicious e-mail parameter to one or more security systems or the at least one e-mail system for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the at least one e-mail system; and determining that the suspicious e-mail parameter has not been observed within a predefined number of e-mails within a predefined time frame, and transforming, as a result of the determination, the suspicious e-mail parameter back to the status of a feature. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for employing honeypot systems to identify potential malware containing messages comprising:
-
providing one or more honeypot computing systems; providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems; receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems; performing a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems; as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails; extracting a feature or feature value associated with one or more of the identified potential malware containing e-mails, wherein the identified potential malware containing e-mails comprise various respective sets of feature or feature values, each set of feature values comprising a plurality of individual feature values, wherein a plurality of the identified potential malware containing e-mails have at least one individual feature value in common; defining a burst threshold for the individual feature or feature value such that when the individual feature or feature value occurs in a number of emails exceeding the burst threshold number of times in a defined period of time, the feature or feature value is considered an indicator of malware containing e-mail; detecting that the extracted feature or feature value occurs in a number of emails more than the burst threshold number of times in the defined period of time; responsive to the detection, transforming a status of the individual feature or feature value from a first feature status into a status of suspicious e-mail parameter; distributing the suspicious e-mail parameter to one or more security systems or one or more e-mail systems for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the one or more e-mail systems; and determining that the suspicious e-mail parameter has not been observed within a predefined number of e-mails within a predefined time frame, and transforming, as a result of the determination, the suspicious e-mail parameter back to the status of a feature. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification