Method and system for using spam e-mail honeypots to identify potential malware containing e-mails

US 8,549,642 B2
Filed: 01/20/2010
Issued: 10/01/2013
Est. Priority Date: 01/20/2010
Status: Active Grant

First Claim

Patent Images

1. A computing system implemented process for employing honeypot systems to identify potential malware containing messages comprising:

providing one or more honeypot computing systems;

providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems;

receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems;

using one or more processors associated with one or more computing systems to perform a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems;

as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails;

using one or more processors associated with one or more computing systems to extract a feature or feature value associated with one or more of the identified potential malware containing e-mails, wherein the identified potential malware containing e-mails comprise various respective sets of feature or feature values, each set of feature values comprising a plurality of individual feature values, wherein a plurality of the identified potential malware containing e-mails have at least one individual feature value in common;

defining a burst threshold for the individual feature or feature value such that when the individual feature or feature value occurs in a number of emails exceeding the burst threshold number of times in a defined period of time, the feature or feature value is considered an indicator of malware containing e-mail;

using one or more processors associated with one or more computing systems to detect that the extracted feature or feature value occurs in a number of emails more than the burst threshold number of times in the defined period of time;

responsive to the detection, transforming a status of the individual feature or feature value from a first feature status into a status of suspicious e-mail parameter;

using one or more processors associated with one or more computing systems to distribute the suspicious e-mail parameter to one or more security systems or one or more e-mail systems for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the one or more e-mail systems; and

determining that the suspicious e-mail parameter has not been observed within a predefined number of e-mails within a predefined time frame, and transforming, as a result of the determination, the suspicious e-mail parameter back to the status of a feature.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for employing honeypot systems to identify potential malware containing messages whereby a decoy system to receive illegitimate e-mails is established. E-mails sent to the spam e-mail honeypot decoy are initially scanned/filtered and e-mails that are not considered possible malware containing e-mails are filtered out while the remaining e-mails sent to the spam e-mail honeypot decoy are identified as potential malware containing e-mails. One or more features, and/or feature values, of the identified e-mails are then identified, extracted and ranked. Once a given feature, and/or feature value, occurs more than a burst threshold number of times, the status of the given feature, and/or feature value, is transformed to that of suspicious e-mail parameter.

52 Citations

View as Search Results

20 Claims

1. A computing system implemented process for employing honeypot systems to identify potential malware containing messages comprising:
- providing one or more honeypot computing systems;
  
  providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  using one or more processors associated with one or more computing systems to perform a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems;
  
  as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails;
  
  using one or more processors associated with one or more computing systems to extract a feature or feature value associated with one or more of the identified potential malware containing e-mails, wherein the identified potential malware containing e-mails comprise various respective sets of feature or feature values, each set of feature values comprising a plurality of individual feature values, wherein a plurality of the identified potential malware containing e-mails have at least one individual feature value in common;
  
  defining a burst threshold for the individual feature or feature value such that when the individual feature or feature value occurs in a number of emails exceeding the burst threshold number of times in a defined period of time, the feature or feature value is considered an indicator of malware containing e-mail;
  
  using one or more processors associated with one or more computing systems to detect that the extracted feature or feature value occurs in a number of emails more than the burst threshold number of times in the defined period of time;
  
  responsive to the detection, transforming a status of the individual feature or feature value from a first feature status into a status of suspicious e-mail parameter;
  
  using one or more processors associated with one or more computing systems to distribute the suspicious e-mail parameter to one or more security systems or one or more e-mail systems for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the one or more e-mail systems; and
  
  determining that the suspicious e-mail parameter has not been observed within a predefined number of e-mails within a predefined time frame, and transforming, as a result of the determination, the suspicious e-mail parameter back to the status of a feature.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems includes implementing a heuristic using one or more processors associated with one or more computing systems that excludes all e-mails of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems that are text only e-mails, or excludes all emails that do not include a binary attachment, or excludes all emails that have only image based binary attachments, the excludes emails being removed from further processing by the computing system implemented process for employing honeypot systems to identify potential malware containing messages.
  - 3. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - for a extracted feature type of the extracted feature or feature value associated with the identified potential malware containing e-mails, the feature type is extracted from the identified potential malware containing e-mails and compared with a white list of known feature type values and a white list rule base describing patterns within the feature type values that are commonly found within legitimate e-mails and any feature value associated with the identified potential malware containing e-mails that is found within the white list or that matches a rule within the white list rule base is considered a legitimate feature value and not a candidate for being transformed into a suspicious e-mail parameter.
  - 4. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - the extracted feature or feature value associated with the identified potential malware containing e-mails is the subject header of the identified potential malware containing e-mails.
  - 5. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - the extracted feature or feature value associated with the identified potential malware containing e-mails is the filename of any attachment to the identified potential malware containing e-mails.
  - 6. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - the extracted feature or feature value associated with the identified potential malware containing e-mails is the filenames of files contained within any archive file attachments to identified potential malware containing e-mails.
  - 7. The computing system implemented process for employing honeypot systems to identify potential malware containing messages of claim 1, wherein:
    - the extracted feature or feature value associated with the identified potential malware containing e-mails is a defined character string.

8. A system for employing honeypot systems to identify potential malware containing messages comprising:
- one or more honeypot computing systems;
  
  at least one computing system;
  
  at least one e-mail system;
  
  at least one processor associated with the at least one computing system, the at least one processor associated with the at least one computing system executing at least part of a computing system implemented process for employing honeypot systems to identify potential malware containing messages, the computing system implemented process for employing honeypot systems to identify potential malware containing messages comprising;
  
  providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  using the at least one processor associated with the at least one computing system to perform a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems;
  
  as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails;
  
  using the at least one processor associated with the at least one computing system to extract a feature or feature value associated with one or more of the identified potential malware containing e-mails, wherein the identified potential malware containing e-mails comprise various respective sets of feature or feature values, each set of feature values comprising a plurality of individual feature values, wherein a plurality of the identified potential malware containing e-mails have at least one individual feature value in common;
  
  defining a burst threshold for the individual feature or feature value such that when the individual feature or feature value occurs in a number of emails exceeding the burst threshold number of times in a defined period of time, the feature or feature value is considered an indicator of malware containing e-mail;
  
  using the at least one processor associated with the at least one computing system to detect that the extracted feature or feature value occurs in a number of emails more than the burst threshold number of times in the defined period of time;
  
  responsive to the detection, transforming a status of the individual feature or feature value from a first feature status into a status of suspicious e-mail parameter;
  
  using the at least one processor associated with the at least one computing system to distribute the suspicious e-mail parameter to one or more security systems or the at least one e-mail system for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the at least one e-mail system; and
  
  determining that the suspicious e-mail parameter has not been observed within a predefined number of e-mails within a predefined time frame, and transforming, as a result of the determination, the suspicious e-mail parameter back to the status of a feature.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems includes implementing a heuristic using one or more processors associated with one or more computing systems that excludes all e-mails of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems that are text only e-mails, or excludes all emails that do not include a binary attachment, or excludes all emails that have only image based binary attachments, the excludes emails being removed from further processing by the computing system implemented process for employing honeypot systems to identify potential malware containing messages.
  - 10. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - for a extracted feature type of the extracted feature or feature value associated with the identified potential malware containing e-mails, the feature type is extracted from the identified potential malware containing e-mails and compared with a white list of known feature type values and a white list rule base describing patterns within the feature type values that are commonly found within legitimate e-mails and any feature value associated with the identified potential malware containing e-mails that is found within the white list or that matches a rule within the white list rule base is considered a legitimate feature value and not a candidate for being transformed into a suspicious e-mail parameter.
  - 11. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - the extracted feature or feature value associated with the identified potential malware containing e-mails is the subject header of the identified potential malware containing e-mails.
  - 12. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - the extracted feature or feature value associated with the identified potential malware containing e-mails is the filename of any attachment to the identified potential malware containing e-mails.
  - 13. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - the extracted feature or feature value associated with the identified potential malware containing e-mails is the filenames of files contained within any archive file attachments to identified potential malware containing e-mails.
  - 14. The system for employing honeypot systems to identify potential malware containing messages comprising of claim 8, wherein:
    - the extracted feature or feature value associated with the identified potential malware containing e-mails is a defined character string.

15. A method for employing honeypot systems to identify potential malware containing messages comprising:
- providing one or more honeypot computing systems;
  
  providing one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  receiving one or more e-mails at one of the one or more decoy e-mail addresses associated with the one or more honeypot computing systems;
  
  performing a preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems;
  
  as a result of the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems, identifying one or more of the one or more e-mails as potential malware containing e-mails;
  
  extracting a feature or feature value associated with one or more of the identified potential malware containing e-mails, wherein the identified potential malware containing e-mails comprise various respective sets of feature or feature values, each set of feature values comprising a plurality of individual feature values, wherein a plurality of the identified potential malware containing e-mails have at least one individual feature value in common;
  
  defining a burst threshold for the individual feature or feature value such that when the individual feature or feature value occurs in a number of emails exceeding the burst threshold number of times in a defined period of time, the feature or feature value is considered an indicator of malware containing e-mail;
  
  detecting that the extracted feature or feature value occurs in a number of emails more than the burst threshold number of times in the defined period of time;
  
  responsive to the detection, transforming a status of the individual feature or feature value from a first feature status into a status of suspicious e-mail parameter;
  
  distributing the suspicious e-mail parameter to one or more security systems or one or more e-mail systems for use in identifying potential malware containing e-mails being sent to one or more user computing systems through the one or more security systems or the one or more e-mail systems; and
  
  determining that the suspicious e-mail parameter has not been observed within a predefined number of e-mails within a predefined time frame, and transforming, as a result of the determination, the suspicious e-mail parameter back to the status of a feature.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method for employing honeypot systems to identify potential malware containing messages of claim 15, wherein:
    - the preliminary filtering of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems includes implementing a heuristic using one or more processors associated with one or more computing systems that excludes all e-mails of the one or more e-mails received at the one or more decoy e-mail addresses associated with one or more honeypot computing systems that are text only e-mails, or excludes all emails that do not include a binary attachment, or excludes all emails that have only image based binary attachments, the excludes emails being removed from further processing by the computing system implemented process for employing honeypot systems to identify potential malware containing messages.
  - 17. The method for employing honeypot systems to identify potential malware containing messages of claim 15, wherein:
    - for an extracted feature type of the extracted feature or feature value associated with the identified potential malware containing e-mails, the feature type is extracted from the identified potential malware containing e-mails and compared with a white list of known feature type values and a white list rule base describing patterns within the feature type values that are commonly found within legitimate e-mails and any feature value associated with the identified potential malware containing e-mails that is found within the white list or that matches a rule within the white list rule base is considered a legitimate feature value and not a candidate for being transformed into a suspicious e-mail parameter.
  - 18. The method for employing honeypot systems to identify potential malware containing messages of claim 15, wherein:
    - the extracted feature or feature value associated with the identified potential malware containing e-mails is the subject header of the identified potential malware containing e-mails.
  - 19. The method for employing honeypot systems to identify potential malware containing messages of claim 15, wherein:
    - the extracted feature or feature value associated with the identified potential malware containing e-mails is the filename of any attachment to the identified potential malware containing e-mails.
  - 20. The method for employing honeypot systems to identify potential malware containing messages of claim 15, wherein:
    - extracted feature or feature value associated with the identified potential malware containing e-mails is the filenames of files contained within any archive file attachments to identified potential malware containing e-mails.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Lee, Martin
Primary Examiner(s)
Desrosiers, Evans

Application Number

US12/690,638
Publication Number

US 20110179487A1
Time in Patent Office

1,350 Days
Field of Search

713187-188, 713193-194, 709/206, 726/13, 726 22- 25
US Class Current

726/23
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Method and system for using spam e-mail honeypots to identify potential malware containing e-mails

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for using spam e-mail honeypots to identify potential malware containing e-mails

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links