Reputation based message processing

US 8,635,690 B2
Filed: 01/25/2008
Issued: 01/21/2014
Est. Priority Date: 11/05/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a message through a communications interface, the message comprising information and being a message from and associated with an entity;

receiving a reputation score that is indicative of a reputation for the entity associated with the message;

determining that the reputation score is indeterminate of the reputation of the entity, the reputation score being a value that does not provide an accurate indication of the reputation of the entity as being one of reputable or non-reputable, and in response to the determination;

queuing the message based upon the reputation score being indeterminate, thereby delaying delivery of the message;

collecting additional information associated with the entity that can be used to determine a reputation of the entity as being one of reputable or non-reputable;

receiving an updated reputation score that is indicative of the reputation for the entity associated with the message, the updated reputation score classifying the entity as being one of reputable or non-reputable and determined, in part, from the additional information collected, wherein a non-reputable reputation indicates a tendency by an entity to participate in a particular non-legitimate activity; and

in response to receiving the updated reputation score, processing the queued message based upon updated reputation score, the processing comprising;

delivering the message in response to the updated reputation score indicating the entity is reputable; and

sending, in response to the updated reputation score indicating the entity is non-reputable, the message to a dedicated interrogation engine to analyze the message for threats related to the particular non-legitimate activity in which the entity has exhibited a tendency to participate, and wherein a different dedicated interrogation engine is used for each different non-legitimate activity.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for processing electronic communications based upon reputation. Reputation of an entity associated with the electronic communication can be generated. The communication can be placed in a queue based upon the reputation. The queued communication can be processed based upon updated information about the entity.

689 Citations

15 Claims

1. A computer-implemented method, comprising:
- receiving a message through a communications interface, the message comprising information and being a message from and associated with an entity;
  
  receiving a reputation score that is indicative of a reputation for the entity associated with the message;
  
  determining that the reputation score is indeterminate of the reputation of the entity, the reputation score being a value that does not provide an accurate indication of the reputation of the entity as being one of reputable or non-reputable, and in response to the determination;
  
  queuing the message based upon the reputation score being indeterminate, thereby delaying delivery of the message;
  
  collecting additional information associated with the entity that can be used to determine a reputation of the entity as being one of reputable or non-reputable;
  
  receiving an updated reputation score that is indicative of the reputation for the entity associated with the message, the updated reputation score classifying the entity as being one of reputable or non-reputable and determined, in part, from the additional information collected, wherein a non-reputable reputation indicates a tendency by an entity to participate in a particular non-legitimate activity; and
  
  in response to receiving the updated reputation score, processing the queued message based upon updated reputation score, the processing comprising;
  
  delivering the message in response to the updated reputation score indicating the entity is reputable; and
  
  sending, in response to the updated reputation score indicating the entity is non-reputable, the message to a dedicated interrogation engine to analyze the message for threats related to the particular non-legitimate activity in which the entity has exhibited a tendency to participate, and wherein a different dedicated interrogation engine is used for each different non-legitimate activity.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein:
    - collecting additional information comprises collecting additional information for only a predefined time period.
  - 3. The computer-implemented method of claim 1, wherein collecting additional information associated with the entity comprises analyzing other communications associated with the entity to identifying relationships between the entity and known reputable entities or known non-reputable entities.
  - 4. The computer-implemented method of claim 3, wherein identifying relationships between the entity and known reputable or non-reputable entities comprises identifying common features between the entity and the known reputable or non-reputable entities.

5. A computer-implemented method, comprising:
- receiving an electronic communication that is associated with and received from an entity;
  
  receiving a reputation associated with the entity associated with the electronic communication;
  
  in response to the received reputation of the entity associated with the electronic communication being indeterminate that does not provide an accurate indication of the reputation of the entity as being one of reputable or non-reputable;
  
  labeling the electronic communication as a suspicious electronic communication;
  
  delaying delivery of the suspicious electronic communication;
  
  collecting additional information associated with the entity that can be used to determine a reputation of the entity as being one of reputable or non-reputable;
  
  receiving an updated reputation that is indicative of the reputation for the entity associated with the suspicious electronic communication, the updated reputation classifying the entity as being one of reputable or non-reputable and determined, in part, from the additional information collected, wherein a non-reputable reputation indicates a tendency by an entity to participate in a particular non-legitimate activity; and
  
  in response to receiving an updated reputation, processing the suspicious electronic communication based on the updated reputation, the processing comprising;
  
  delivering the suspicious electronic communication in response to the updated reputation indicating the entity is reputable; and
  
  sending, in response to the updated reputation indicating the entity is non-reputable, the suspicious electronic communication to a dedicated interrogation engine to analyze the suspicious electronic communication for threats related to the particular non-legitimate activity in which the entity has exhibited a tendency to participate, and wherein a different dedicated interrogation engine is used for each different non-legitimate activity.
- View Dependent Claims (6, 7)
- - 6. The computer-implemented method of claim 5, wherein collecting additional information associated with the entity comprising identifying relationships between the entity and known reputable entities or known non-reputable entities.
  - 7. The computer-implemented method of claim 6, wherein identifying relationships between the entity and known reputable or non-reputable entities comprises identifying common features shared by the entity and the known reputable or known non-reputable entities, including communications between the entities, identifying similar communications patterns, identifying similar communications sent independently from the entity and at least one of the known reputable or known non-reputable entities, and similar domains.

8. A message interrogation system comprising:
- a computer system having one or more computer devices and a communications interface operable to receive a query associated with a message;
  
  instructions stored in a computer storage device, the instructions executable by a computer system and defining;
  
  a reputation module operable to retrieve reputation information related to an entity associated with the message, the reputation module being further operable to identify the entity as having an indeterminate reputation that does not provide an accurate indication of the reputation of the entity as being one of reputable or non-reputable;
  
  a flagging module operable to instruct a message processing module to queue the message, wherein the queue is operable to hold the message without delivery;
  
  a reputation information collection module being operable to collect reputation information related to the entity associated with the message that can be used to determine a reputation of the entity as being one of reputable or non-reputable, wherein a non-reputable reputation indicates a tendency by an entity to participate in a particular non-legitimate activity; and
  
  the reputation module being further operable to derive an updated reputation based upon the collected reputation information and to communicate the updated reputation to a message transfer agent through the communications interface;
  
  wherein the message processing module is operable to process the message based upon the updated reputation, the processing comprising;
  
  forwarding the message to a recipient in response to the updated reputation indicating the entity is reputable; and
  
  sending, in response to the updated reputation indicating the entity is non-reputable, the message to a dedicated interrogation engine to analyze the message for threats related to the particular non-legitimate activity in which the entity has exhibited a tendency to participate, and wherein a different dedicated interrogation engine is used for each different non-legitimate activity.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the reputation module is operable to analyze communication patterns associated with the entity.
  - 10. The system of claim 9, wherein the reputation module is operable to compare the communication patterns associated with the entity to known behavioral profiles of reputable and non-reputable entities, and to identify the reputation based upon identifying a closest match between the communication patterns associated with the entity and the behavioral profiles of reputable and non-reputable entities.
  - 11. The system of claim 8, wherein the reputation module is operable to identify relationships between the entity and known reputable entities or known non-reputable entities.
  - 12. The system of claim 11, wherein relationships between the entity and known reputable or non-reputable entities are identified based upon identification of communications between the entities, identification of similar communications patterns, identification of similar communications sent independently from the entity and at least one of the known reputable or known non-reputable entities, and identification of similar domains.

13. A system comprising:
- a computer system having one or more computer devices and a communications interface operable to receive an electronic message, the electronic message being associated with and sent from an entity;
  
  instructions stored in a computer storage device, the instructions executable by a computer system and defining;
  
  a message processing module operable to process the electronic message to identify the entity and to send a reputation query to a reputation module to identify a reputation of the entity associated with the electronic message;
  
  a queuing module operable to place electronic messages into a queue based upon the reputation of the entity associated with the electronic message being an indeterminate reputation that does not provide an accurate indication of the reputation of the entity as being one of reputable or non-reputable;
  
  a reputation information collection module being operable to collect reputation information related to the entity associated with the electronic message that can be used to determine a reputation of the entity as being one of reputable or non-reputable, wherein a non-reputable reputation indicates a tendency by an entity to participate in a particular non-legitimate activity; and
  
  a reprocessing module operable to periodically query the reputation module for an updated reputation for the entity associated with the electronic message, the reprocessing module being further operable to process the electronic message based upon the updated reputation of the entity associated with the electronic message indicating the entity being one of reputable or non-reputable, the processing comprising;
  
  forwarding the electronic message to a recipient in response to the updated reputation indicating the entity is reputable; and
  
  sending, in response to the updated reputation indicating the entity is non-reputable, the electronic message to a dedicated interrogation engine to analyze the electronic message for threats related to the particular non-legitimate activity in which the entity has exhibited a tendency to participate, and wherein a different dedicated interrogation engine is used for each different non-legitimate activity.

14. At least one non-transitory, machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive a message through a communications interface, the message comprising information and being a message from and associated with an entity;
  
  receive a reputation score that is indicative of a reputation for the entity associated with the message;
  
  determine that the reputation score is indeterminate of the reputation of the entity, the reputation score being a value that does not provide an accurate indication of the reputation of the entity as being one of reputable or non-reputable, and in response to the determination;
  
  queue the message based upon the reputation score being indeterminate, thereby delaying delivery of the message;
  
  collect additional information associated with the entity that can be used to determine a reputation of the entity as being one of reputable or non-reputable;
  
  receive an updated reputation score that is indicative of the reputation for the entity associated with the message, the updated reputation score classifying the entity as being one of reputable or non-reputable and determined, in part, from the additional information collected, wherein a non-reputable reputation indicates a tendency by an entity to participate in a particular non-legitimate activity; and
  
  in response to receipt of the updated reputation score, process the queued message based upon updated reputation score to;
  
  deliver the message in response to the updated reputation score indicating the entity is reputable; and
  
  send, in response to the updated reputation score indicating the entity is non-reputable, the message to a dedicated interrogation engine to analyze the message for threats related to the particular non-legitimate activity in which the entity has exhibited a tendency to participate, and wherein a different dedicated interrogation engine is used for each different non-legitimate activity.

15. At least one non-transitory, machine accessible storage medium having instructions stored thereon, the instructions when executed on a machine, cause the machine to:
- receive an electronic communication that is associated with and received from an entity;
  
  receive a reputation associated with the entity associated with the electronic communication;
  
  in response to the received reputation of the entity associated with the electronic communication being indeterminate in that the received reputation does not provide an accurate indication of the reputation of the entity as being one of reputable or non-reputable;
  
  label the electronic communication as a suspicious electronic communication;
  
  delay delivery of the suspicious electronic communication;
  
  collect additional information associated with the entity that can be used to determine a reputation of the entity as being one of reputable or non-reputable;
  
  receive an updated reputation that is indicative of the reputation for the entity associated with the suspicious electronic communication, the updated reputation classifying the entity as being one of reputable or non-reputable and determined, in part, from the additional information collected, wherein a non-reputable reputation indicates a tendency by an entity to participate in a particular non-legitimate activity; and
  
  in response to receipt of the updated reputation, processing the suspicious electronic communication based on the updated reputation to;
  
  deliver the suspicious electronic communication message in response to the updated reputation indicating the entity is reputable; and
  
  send, in response to the updated reputation indicating the entity is non-reputable, the suspicious electronic communication message to a dedicated interrogation engine to analyze the suspicious electronic communication for threats related to the particular non-legitimate activity in which the entity has exhibited a tendency to participate, and wherein a different dedicated interrogation engine is used for each different non-legitimate activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alperovitch, Dmitri, Krasser, Sven
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US12/020,370
Publication Number

US 20080184366A1
Time in Patent Office

2,188 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 11/008 Reliability or availability...

H04L 51/212 using filtering or selectiv...

Reputation based message processing

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

689 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Reputation based message processing

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

689 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links