Systems and methods for message threat management

US 8,631,495 B2
Filed: 11/28/2011
Issued: 01/14/2014
Est. Priority Date: 03/08/2002
Status: Expired due to Term

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving a communication from a first sender destined to a recipient in a network;

accessing a whitelist specifying approved senders, each of the approved senders having a trust score indicative of a level of trust associated with the respective approved sender, wherein the trust score for each approved sender is based at least in part on a respective frequency with which communications originating within the network are sent to the approved sender, and higher frequencies of communications originating within the network sent to the approved sender correspond with higher levels of trust;

determining, using at least one data processing apparatus, whether the first sender is one of the approved senders;

in response to determining that the first sender is not one of the approved senders;

determining whether a threat level of the communication exceeds a threshold threat level;

in response to determining that the threat level does not exceed a threshold threat level, delivering the communication to the recipient; and

in response to determining that the first sender is one of the approved senders;

determining whether the trust score for the first sender exceeds a threshold trust score;

in response to determining that the trust score exceeds the threshold trust score, delivering the communication to the recipient; and

in response to determining that the trust score does not exceed the threshold trust score, selecting one of a plurality of interrogation levels to which the communication will be subjected.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features are extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules, in some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within ah acceptable margin of error. The hues are then propagated to one or more application layer security systems.

421 Citations

18 Claims

1. A computer-implemented method comprising:
- receiving a communication from a first sender destined to a recipient in a network;
  
  accessing a whitelist specifying approved senders, each of the approved senders having a trust score indicative of a level of trust associated with the respective approved sender, wherein the trust score for each approved sender is based at least in part on a respective frequency with which communications originating within the network are sent to the approved sender, and higher frequencies of communications originating within the network sent to the approved sender correspond with higher levels of trust;
  
  determining, using at least one data processing apparatus, whether the first sender is one of the approved senders;
  
  in response to determining that the first sender is not one of the approved senders;
  
  determining whether a threat level of the communication exceeds a threshold threat level;
  
  in response to determining that the threat level does not exceed a threshold threat level, delivering the communication to the recipient; and
  
  in response to determining that the first sender is one of the approved senders;
  
  determining whether the trust score for the first sender exceeds a threshold trust score;
  
  in response to determining that the trust score exceeds the threshold trust score, delivering the communication to the recipient; and
  
  in response to determining that the trust score does not exceed the threshold trust score, selecting one of a plurality of interrogation levels to which the communication will be subjected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - in response to determining that the threat level exceeds the threshold threat level, preventing the communication from being delivered to the recipient.
  - 3. The method of claim 2, wherein preventing the communication from being delivered to the recipient comprises quarantining or deleting the communication.
  - 4. The method of claim 1, wherein a first approved sender receiving a first frequency of communications originating within the network higher than a second frequency of communications originating within the network received by a second approved sender will have a higher trust score than the second approved sender.
  - 5. The method of claim 1, further comprising:
    - determining a frequency with which communications originating within the network are sent to a unclassified sender, wherein the whitelist does not specify the unclassified sender as an approved sender; and
      
      updating the whitelist to specify the unclassified sender as an approved sender in response to determining that the frequency exceeds a sender destination threshold frequency.
  - 6. The method of claim 1, wherein the communication is an email message and the whitelist specifies an email address for each of the approved senders.
  - 7. The method of claim 1, wherein determining whether a threat level of the communication exceeds a threshold threat level comprises determining whether the communication is spam.
  - 8. The method of claim 1, wherein each of the plurality of interrogation levels includes a particular number and type of interrogation engines to interrogate the communication.
  - 9. The method of claim 8, wherein the type of interrogation engines include a spam interrogation engine and one or more virus interrogation engines.
  - 10. The method of claim 1, wherein selecting one of a plurality of interrogation levels to which the communication will be subjected comprises selecting the one of a plurality of interrogation levels to which the communication will be subjected based on a value of the trust score.

11. A system comprising:
- a data processing apparatus; and
  
  software stored on a computer storage apparatus and comprising instructions executable by the data processing apparatus and upon such execution cause the data processing apparatus to perform operations comprising;
  
  receive a communication from a first sender destined to a recipient in a network;
  
  access a whitelist specifying approved senders, each of the approved senders having a trust score indicative of a level of trust associated with the respective approved sender, wherein the trust score for each approved sender is based at least in part on a respective frequency with which communications originating within the network are sent to the approved sender, and higher frequencies of communications originating within the network sent to the approved sender correspond with higher levels of trust;
  
  determine whether the first sender is one of the approved senders;
  
  in response to determining that the first sender is not one of the approved senders;
  
  determine whether a threat level of the communication exceeds a threshold threat level;
  
  in response to determining that the threat level does not exceed a threshold threat level, deliver the communication to the recipient; and
  
  in response to determining that the first sender is one of the approved senders;
  
  determine whether the trust score for the first sender exceeds a threshold trust score;
  
  in response to determining that the that score exceeds the threshold trust score, deliver the communication to the recipient; and
  
  in response to determining that the trust score does not exceed the threshold trust score, select one of a plurality of interrogation levels to which the communication will be subjected.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11, wherein the data processing apparatus further performs operations comprising:
    - in response to determining that the threat level exceeds the threshold threat level, prevent the communication from being delivered to the recipient.
  - 13. The system of claim 12, wherein prevent the communication from being delivered to the recipient comprises quarantine or delete the communication.
  - 14. The system of claim 11, wherein a first approved sender receiving a first frequency of communications originating within the network higher than a second frequency of communications originating within the network received by a second approved sender will have a higher trust score than the second approved sender.
  - 15. The system of claim 11;
    - wherein the data processing apparatus further performs operations comprising;
      
      determine a frequency with which communications originating within the network are sent to a unclassified sender, wherein the whitelist does not specify the unclassified sender as an approved sender; and
      
      update the whitelist to specify the unclassified sender as an approved sender in response to determining that the frequency exceeds a sender destination threshold frequency.
  - 16. The system of claim 11, wherein the communication is an email message and the whitelist specifies an email address for each of the approved senders.
  - 17. The system of claim 11, wherein each of the plurality of interrogation levels includes a particular number and type of interrogation engines to interrogate the communication.

18. A non-transitory computer storage medium encoded with a computer program;
- the program comprising instructions that when executed by a data processing apparatus cause the data processing apparatus to perform operations, comprising;
  
  receiving a communication from a first sender destined to a recipient in a network;
  
  accessing a whitelist specifying approved senders, each of the approved senders having trust score indicative of a level of trust associated with the respective approved sender, wherein the trust score for each approved sender is based at least in part on a respective frequency with which communications originating within the network are sent to the approved sender, and higher frequencies of communications originating within the network sent to the approved sender correspond with higher levels of trust;
  
  determining whether the first sender is one of the approved senders;
  
  in response to determining that the first sender is not one of the approved senders;
  
  determining whether a threat level of the communication exceeds a threshold threat level;
  
  in response to determining that the threat level does not exceed a threshold threat level, delivering the communication to the recipient, andin response to determining;
  
  that the first sender is one of the approved senders;
  
  determining whether the trust score for the first sender exceeds a threshold trust score;
  
  in response to determining that the trust score exceeds the threshold trust score, delivering the communication to the recipient; and
  
  in response to determining that the trust score does not exceed the threshold trust score, selecting one of a plurality of interrogation levels to which the communication will be subjected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Judge, Paul
Primary Examiner(s)
Zee, Edward
Assistant Examiner(s)
To, Baotran N

Application Number

US13/305,029
Publication Number

US 20120204265A1
Time in Patent Office

778 Days
Field of Search

726 22- 25, 713/188, 709/206
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 51/212   using filtering or selectiv...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Systems and methods for message threat management

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

421 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for message threat management

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

421 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links