Message classification using domain name and IP address extraction
First Claim
Patent Images
1. A method for classifying a message, the method comprising:
- receiving a message;
extracting a plurality of IP addresses and a plurality of domain names from the message, wherein the IP addresses and the domain names are placed in an array, and wherein each cell in the array is indexed by an IP address paired with each of the domain names;
selecting an IP address from the array, wherein the selected IP address is from a first hop along a path of the message;
selecting a domain name from the array, wherein the selected domain name is not required to be from the same hop as the selected IP address;
associating the selected IP address and selected domain name to form an IP address and domain pair;
receiving a classification for the IP address and domain pair;
classifying the message based on the classification for the IP address and domain pair; and
processing the message in accordance with the message classification.
23 Assignments
0 Petitions
Accused Products
Abstract
A technique for classifying a message is disclosed. The technique includes determining the domain from which the message is purported to be sent, determining an IP address from which the message was relayed at some point in its transmission, associating the domain with the IP address, and classifying the message based on the associated domain and IP address.
-
Citations
19 Claims
-
1. A method for classifying a message, the method comprising:
-
receiving a message; extracting a plurality of IP addresses and a plurality of domain names from the message, wherein the IP addresses and the domain names are placed in an array, and wherein each cell in the array is indexed by an IP address paired with each of the domain names; selecting an IP address from the array, wherein the selected IP address is from a first hop along a path of the message; selecting a domain name from the array, wherein the selected domain name is not required to be from the same hop as the selected IP address; associating the selected IP address and selected domain name to form an IP address and domain pair; receiving a classification for the IP address and domain pair; classifying the message based on the classification for the IP address and domain pair; and processing the message in accordance with the message classification. - View Dependent Claims (17)
-
-
2. The method of 1, wherein the classification for the IP address and domain pair includes at least one classification variable.
-
3. The method of 2, wherein the classification variable decays over time.
-
4. The method of 3, wherein the classification variable decays over time based on one or more time stamps associated with the IP address and domain pair.
-
5. The method of 3, wherein the classification variable decays at a periodic interval.
-
6. The method of 3, wherein the classification variable decays according to a function.
-
7. The method of 2, further comprising:
-
receiving a time stamp associated with the IP address and domain pair; decaying the classification variable for the message based on the time stamp.
-
-
8. The method of 2, wherein the classification variable includes an increment count corresponding to a plurality of messages classified prior to receipt of the message.
-
9. The method of 8, wherein the increment count is a fractional increment count.
-
10. The method of 7, wherein classifying the message includes:
-
forming a score based on the increment count associated with a classification variable; and classifying the message based on at least the score.
-
-
11. The method of 10, the score including a ratio of one or more classification variables.
-
12. The method of 10, the score including a ratio of one or more classification variables decayed over time.
-
13. The method of 10, wherein forming the score comprises giving a weight to the classification variable.
-
14. A message classification apparatus, the apparatus comprising:
-
a memory storing an array, wherein each cell in the array is indexed by an IP address paired with each of the domain names; a network interface configured to receive a message from over a communications network; and a processor configured to execute software stored in the memory to; extract a plurality of IP addresses and a plurality of domain names from the received message, wherein the extracted IP addresses and the domain names are placed in the array, selects an IP address from the array, wherein the selected IP address is from a first hop along a path of the message, selects a domain name from the array, wherein the selected domain name is not required to be from the same hop as the selected IP address, form an IP address and domain name pair for the received message from the selected IP address and the selected domain name, and classify the received message based on a comparison of the formed IP address and domain pair with the IP address and domain pair from the array, and process the received message in accordance with the classification of the message. - View Dependent Claims (18)
-
-
15. The apparatus of 14, wherein the processor is further configured to generate a score based on the classification, the score stored in the table and associated with the corresponding IP address and domain pair.
-
16. A non-transitory computer-readable storage medium, having embodied thereon a program executable by a processor to perform a method for classifying a message, the method comprising:
-
receiving a message; extracting a plurality of IP addresses and a plurality of domain names from the message, wherein the IP addresses and the domain names are placed in an array, and wherein each cell in the array is indexed by an IP address paired with each of the domain names; selecting an IP address from the array, wherein the selected IP address is from a first hop along a path of the message; selecting a domain name from the array, wherein the selected domain name is not required to be from the same hop as the selected IP address; associating the selected IP address and selected domain name to form an IP address and domain pair; receiving a classification for the IP address and domain pair; classifying the message based on the classification for the IP address and domain pair; and processing the message in accordance with the message classification. - View Dependent Claims (19)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeQuest Software, Inc.
-
Original AssigneeSonicWALL, Inc. (SonicWall Holdings Ltd.)
-
InventorsOliver, Jonathan J., Koblas, David A.
-
Primary Examiner(s)Lazaro, David
-
Assistant Examiner(s)HUQ, FARZANA B
-
Application NumberUS11/927,477Publication NumberTime in Patent Office2,241 DaysField of Search709/205, 709/206, 709/207, 709/1, 709223-224US Class Current709/223CPC Class CodesH04L 45/74 Address processing for routingH04L 47/40 using split connectionsH04L 49/15 Interconnection of switchin...H04L 51/212 using filtering or selectiv...H04L 61/4511 using domain name system [DNS]H04L 61/4552 Lookup mechanisms between a...H04L 63/101 Access control lists [ACL]H04L 63/1466 Active attacks involving in...H04L 63/1483 service impersonation, e.g....H04L 69/22 Parsing or analysis of headers
