Systems and methods for message threat management
First Claim
1. A computer-implemented method comprising:
- receiving a communication from a first sender destined to a recipient in a network;
accessing a whitelist specifying approved senders, each of the approved senders having a trust score indicative of a level of trust associated with the respective approved sender, wherein the trust score for each approved sender is based at least in part on a respective frequency with which communications originating within the network are sent to the approved sender, and higher frequencies of communications originating within the network sent to the approved sender correspond with higher levels of trust;
determining, using at least one data processing apparatus, whether the first sender is one of the approved senders;
in response to determining that the first sender is not one of the approved senders;
determining whether a threat level of the communication exceeds a threshold threat level;
in response to determining that the threat level does not exceed a threshold threat level, delivering the communication to the recipient; and
in response to determining that the first sender is one of the approved senders;
determining whether the trust score for the first sender exceeds a threshold trust score;
in response to determining that the trust score exceeds the threshold trust score, delivering the communication to the recipient; and
in response to determining that the trust score does not exceed the threshold trust score, selecting one of a plurality of interrogation levels to which the communication will be subjected.
13 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features are extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules, in some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within ah acceptable margin of error. The hues are then propagated to one or more application layer security systems.
421 Citations
18 Claims
-
1. A computer-implemented method comprising:
-
receiving a communication from a first sender destined to a recipient in a network; accessing a whitelist specifying approved senders, each of the approved senders having a trust score indicative of a level of trust associated with the respective approved sender, wherein the trust score for each approved sender is based at least in part on a respective frequency with which communications originating within the network are sent to the approved sender, and higher frequencies of communications originating within the network sent to the approved sender correspond with higher levels of trust; determining, using at least one data processing apparatus, whether the first sender is one of the approved senders; in response to determining that the first sender is not one of the approved senders; determining whether a threat level of the communication exceeds a threshold threat level; in response to determining that the threat level does not exceed a threshold threat level, delivering the communication to the recipient; and in response to determining that the first sender is one of the approved senders; determining whether the trust score for the first sender exceeds a threshold trust score; in response to determining that the trust score exceeds the threshold trust score, delivering the communication to the recipient; and in response to determining that the trust score does not exceed the threshold trust score, selecting one of a plurality of interrogation levels to which the communication will be subjected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a data processing apparatus; and software stored on a computer storage apparatus and comprising instructions executable by the data processing apparatus and upon such execution cause the data processing apparatus to perform operations comprising; receive a communication from a first sender destined to a recipient in a network; access a whitelist specifying approved senders, each of the approved senders having a trust score indicative of a level of trust associated with the respective approved sender, wherein the trust score for each approved sender is based at least in part on a respective frequency with which communications originating within the network are sent to the approved sender, and higher frequencies of communications originating within the network sent to the approved sender correspond with higher levels of trust; determine whether the first sender is one of the approved senders; in response to determining that the first sender is not one of the approved senders; determine whether a threat level of the communication exceeds a threshold threat level; in response to determining that the threat level does not exceed a threshold threat level, deliver the communication to the recipient; and in response to determining that the first sender is one of the approved senders; determine whether the trust score for the first sender exceeds a threshold trust score; in response to determining that the that score exceeds the threshold trust score, deliver the communication to the recipient; and in response to determining that the trust score does not exceed the threshold trust score, select one of a plurality of interrogation levels to which the communication will be subjected. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer storage medium encoded with a computer program;
- the program comprising instructions that when executed by a data processing apparatus cause the data processing apparatus to perform operations, comprising;
receiving a communication from a first sender destined to a recipient in a network; accessing a whitelist specifying approved senders, each of the approved senders having trust score indicative of a level of trust associated with the respective approved sender, wherein the trust score for each approved sender is based at least in part on a respective frequency with which communications originating within the network are sent to the approved sender, and higher frequencies of communications originating within the network sent to the approved sender correspond with higher levels of trust; determining whether the first sender is one of the approved senders; in response to determining that the first sender is not one of the approved senders; determining whether a threat level of the communication exceeds a threshold threat level; in response to determining that the threat level does not exceed a threshold threat level, delivering the communication to the recipient, and in response to determining;
that the first sender is one of the approved senders;determining whether the trust score for the first sender exceeds a threshold trust score; in response to determining that the trust score exceeds the threshold trust score, delivering the communication to the recipient; and in response to determining that the trust score does not exceed the threshold trust score, selecting one of a plurality of interrogation levels to which the communication will be subjected.
- the program comprising instructions that when executed by a data processing apparatus cause the data processing apparatus to perform operations, comprising;
Specification