Method for inferring maliciousness of email and detecting a virus pattern
First Claim
1. A method of distinguishing an abnormal e-mail, comprising the steps of:
- decoding, through the use of a computer processor, received e-mail data;
analyzing the decoded e-mail data and classifying a header of the analyzed e-email data according to header fields of the header in the email data;
determining whether each of the header fields is normal or abnormal;
assigning one of a first value indicating a normal header field and a second value indicating an abnormal header field to the each of the header fields, according to the determination results;
applying a logical inference rule to the header fields given the one of the first value and the second value, the logical inference rule being a set of conditional operations that determine the e-mail data as normal or abnormal based on the first value or the second value given to the each of the header fields; and
determining that the e-mail data is normal or abnormal based on a result of the applying.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided is a method of distinguishing an abnormal e-mail and determining whether an e-mail is affected with a virus. The method includes the steps of: decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information; determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result; distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule; and when there is an executable attachment file among the header information of the e-mail distinguished as abnormal, determining whether the abnormal e-mail is infected with a virus using distribution of similarity among data. The method effectively distinguishes an abnormal e-mail and determines whether an e-mail is infected with a virus without a database for spam filtering or a database of virus information, and thus is capable of stopping the propagation of new viruses. Therefore, an e-mail server can have a security technique and handle abnormal e-mail in a step before operation of a spam filter server or an antivirus server. Consequently, it is possible to manage a mail server more securely.
29 Citations
20 Claims
-
1. A method of distinguishing an abnormal e-mail, comprising the steps of:
-
decoding, through the use of a computer processor, received e-mail data; analyzing the decoded e-mail data and classifying a header of the analyzed e-email data according to header fields of the header in the email data; determining whether each of the header fields is normal or abnormal; assigning one of a first value indicating a normal header field and a second value indicating an abnormal header field to the each of the header fields, according to the determination results; applying a logical inference rule to the header fields given the one of the first value and the second value, the logical inference rule being a set of conditional operations that determine the e-mail data as normal or abnormal based on the first value or the second value given to the each of the header fields; and determining that the e-mail data is normal or abnormal based on a result of the applying. - View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
-
-
8. A method of determining whether an e-mail is infected with a virus, comprising the steps of:
-
decoding, through the use of a computer processor, received e-mail data; analyzing the decoded e-mail data and classifying a header of the analyzed e-mail data according to header fields of the header in the email data; determining whether each of the header fields is normal or abnormal; assigning one of a first value indicating a normal header field and a second value indicating an abnormal header field to the each of the header fields, according to the determination results; applying a logical inference rule to the header fields given the one of the first value and the second value, the logical inference rule being a set of conditional operations that determine the e-mail data as normal or abnormal based on the first value or the second value given to the each of the header fields; determining that the e-mail data is normal or abnormal based on a result of the applying; and when there is an executable attachment file indicated in the header fields of an e-mail distinguished as abnormal, determining whether the abnormal e-mail is infected with a virus using a distribution of similarity among data of the executable attachment file. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method of determining whether an e-mail is infected with a virus, comprising the steps of:
-
when an executable file is attached to a received e-mail, programming a computer for converting and simplifying data of the executable attachment file; normalizing the simplified data of the executable attachment file through the use of the computer; obtaining a distribution of similarity among the data of the executable attachment file using the normalized data of the executable attachment file; and analyzing the obtained distribution of similarity among data using the computer program, such that when a previously set dense distribution pattern exists, determining that the executable attachment file is infected with a virus. - View Dependent Claims (18)
-
-
19. A non-transitory computer-readable recording medium storing a program capable of executing a method of distinguishing an abnormal e-mail, comprising the steps of:
-
decoding, through the use of a computer processor, received e-mail data; analyzing the decoded e-mail data and classifying a header of the analyzed e-email data according to header fields of the header in the email data; determining whether each of the header fields is normal or abnormal; assigning one of a first value indicating a normal header field and a second value indicating an abnormal header field to the each of the header fields, according to the determination results; applying a logical inference rule to the header fields given the one of the first value and the second value, the logical inference rule being a set of conditional operations that determine the e-mail data as normal or abnormal based on the first value or the second value given to the each of the header fields; and determining that the e-mail data is normal or abnormal based on a result of the applying.
-
Specification