Method for inferring maliciousness of email and detecting a virus pattern

US 8,677,490 B2
Filed: 12/08/2006
Issued: 03/18/2014
Est. Priority Date: 11/13/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of distinguishing an abnormal e-mail, comprising the steps of:

decoding, through the use of a computer processor, received e-mail data;

analyzing the decoded e-mail data and classifying a header of the analyzed e-email data according to header fields of the header in the email data;

determining whether each of the header fields is normal or abnormal;

assigning one of a first value indicating a normal header field and a second value indicating an abnormal header field to the each of the header fields, according to the determination results;

applying a logical inference rule to the header fields given the one of the first value and the second value, the logical inference rule being a set of conditional operations that determine the e-mail data as normal or abnormal based on the first value or the second value given to the each of the header fields; and

determining that the e-mail data is normal or abnormal based on a result of the applying.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a method of distinguishing an abnormal e-mail and determining whether an e-mail is affected with a virus. The method includes the steps of: decoding a received e-mail packet in a readable format and then analyzing and classifying a header of the packet according to header information; determining whether each classified piece of header information is normal or abnormal, and giving a specific value to the corresponding header information according to the determination result; distinguishing an abnormal e-mail using the specific values given to the respective pieces of header information according to a logical inference rule; and when there is an executable attachment file among the header information of the e-mail distinguished as abnormal, determining whether the abnormal e-mail is infected with a virus using distribution of similarity among data. The method effectively distinguishes an abnormal e-mail and determines whether an e-mail is infected with a virus without a database for spam filtering or a database of virus information, and thus is capable of stopping the propagation of new viruses. Therefore, an e-mail server can have a security technique and handle abnormal e-mail in a step before operation of a spam filter server or an antivirus server. Consequently, it is possible to manage a mail server more securely.

29 Citations

View as Search Results

20 Claims

1. A method of distinguishing an abnormal e-mail, comprising the steps of:
- decoding, through the use of a computer processor, received e-mail data;
  
  analyzing the decoded e-mail data and classifying a header of the analyzed e-email data according to header fields of the header in the email data;
  
  determining whether each of the header fields is normal or abnormal;
  
  assigning one of a first value indicating a normal header field and a second value indicating an abnormal header field to the each of the header fields, according to the determination results;
  
  applying a logical inference rule to the header fields given the one of the first value and the second value, the logical inference rule being a set of conditional operations that determine the e-mail data as normal or abnormal based on the first value or the second value given to the each of the header fields; and
  
  determining that the e-mail data is normal or abnormal based on a result of the applying.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 20)
- - 2. The method of claim 1, wherein the header fields comprise a mail header H, an originator section Fr, a recipient section To, and information indicating presence or absence of an executable attachment file EF.
  - 3. The method of claim 1, wherein when the each of the header fields is normal, the first value of 1 is given to the header field, and when a header field is abnormal, the second value of 0 is given to the header field.
  - 4. The method of claim 1, wherein the header fields comprise a mail header H, an originator section Fr, a recipient section To, and information indicating presence or absence of an executable attachment file EF, and when the originator section Fr is given the first value, the recipient section To and the mail header H are given the second value, and the executable attachment file EF exists, the logical inference rule determines the e-mail data as abnormal.
  - 5. The-method of claim 1, wherein the header fields comprise a mail header H, an originator section Fr, a recipient section To, and information indicating presence or absence of an executable attachment file EF, and when the originator section Fr is given the second value, the recipient section To is given the first value, the mail header H is given the second value, and the executable attachment file EF exists, the logical inference rule determines the e-mail data as abnormal.
  - 6. The method of claim 1, wherein the header fields comprise a mail header H, an originator section Fr, a recipient section To, and information indicating presence or absence of an executable attachment file EF, and when the originator section Fr and the recipient section To are given the second value, the mail header H is given the first value, and the executable attachment file EF exists, the logical inference rule determines the e-mail data as abnormal.
  - 7. The method of claim 1, wherein the header fields comprise a mail header H, an originator section Fr, a recipient section To, and information indicating presence or absence of an executable attachment file EF, and when the originator section Fr, the recipient section To, and the mail header H are given the second value, the logical inference rule determines the e-mail data as abnormal.
  - 20. The method of claim 1, wherein the set of conditional operations is a binary decision diagram having the pieces of header information as nodes and leaves that indicate whether the e-mail data is normal or abnormal reachable by traversing the binary decision diagram along edges between the nodes.

8. A method of determining whether an e-mail is infected with a virus, comprising the steps of:
- decoding, through the use of a computer processor, received e-mail data;
  
  analyzing the decoded e-mail data and classifying a header of the analyzed e-mail data according to header fields of the header in the email data;
  
  determining whether each of the header fields is normal or abnormal;
  
  assigning one of a first value indicating a normal header field and a second value indicating an abnormal header field to the each of the header fields, according to the determination results;
  
  applying a logical inference rule to the header fields given the one of the first value and the second value, the logical inference rule being a set of conditional operations that determine the e-mail data as normal or abnormal based on the first value or the second value given to the each of the header fields;
  
  determining that the e-mail data is normal or abnormal based on a result of the applying; and
  
  when there is an executable attachment file indicated in the header fields of an e-mail distinguished as abnormal, determining whether the abnormal e-mail is infected with a virus using a distribution of similarity among data of the executable attachment file.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8, wherein the step of determining whether the abnormal e-mail is infected with a virus comprises the steps of:
    - converting and simplifying the data of the executable attachment file;
      
      normalizing the simplified data of the executable attachment file;
      
      obtaining the distribution of similarity among the data using the normalized data of the executable attachment file;
      
      analyzing the obtained distribution of similarity among the data; and
      
      when a previously set dense distribution pattern exists, determining that the executable attachment file is infected with a virus.
  - 10. The method of claim 9, wherein the distribution of similarity among the data is obtained by generating an optimized code map of the normalized data of the executable attachment file and constructing a new matrix on the basis of average values of surrounding values.
  - 11. The method of claim 8, wherein the header fields comprise a mail header H, an originator section Fr, a recipient section To, and information indicating presence or absence of an executable attachment file EF.
  - 12. The method of claim 8, wherein when the each of the header fields is normal, the first value of 1 is given to the header field, and when a header field is abnormal, the second value of 0 is given to the header field.
  - 13. The method of claim 8, wherein the header fields comprise a mail header H, an originator section Fr, a recipient section To, and information indicating presence or absence of an executable attachment file EF, and when the originator section Fr is given the first value, the recipient section To and the mail header H are given the second value, and the executable attachment file EF exists, the logical inference rule determines the e-mail data as abnormal.
  - 14. The method of claim 8, wherein the header fields comprise a mail header H, an originator section Fr, a recipient section To, and information indicating presence or absence of an executable attachment file EF, and when the originator section Fr is given the second value, the recipient section To is given the first value, the mail header H is given the second value, and the executable attachment file EF exists, the logical inference rule determines the e-mail data as abnormal.
  - 15. The method of claim 8, wherein the header fields comprise a mail header H, an originator section Fr, a recipient section To, and information indicating presence or absence of an executable attachment file EF, and when the originator section Fr and the recipient section To are given the second value, the mail header H is given the first value, and the executable attachment file EF exists, the logical inference rule determines the e-mail data as abnormal.
  - 16. The method of claim 8, wherein the header fields comprise a mail header H, an originator section Fr, a recipient section To, and information indicating presence or absence of an executable attachment file EF, and when the originator section Fr, the recipient section To, and the mail header H are given the second value, the logical inference rule determines the e-mail data as abnormal.

17. A method of determining whether an e-mail is infected with a virus, comprising the steps of:
- when an executable file is attached to a received e-mail, programming a computer for converting and simplifying data of the executable attachment file;
  
  normalizing the simplified data of the executable attachment file through the use of the computer;
  
  obtaining a distribution of similarity among the data of the executable attachment file using the normalized data of the executable attachment file; and
  
  analyzing the obtained distribution of similarity among data using the computer program, such that when a previously set dense distribution pattern exists, determining that the executable attachment file is infected with a virus.
- View Dependent Claims (18)
- - 18. The method of claim 17, wherein the distribution of similarity among data is obtained by generating an optimized codemap of the normalized data of the executable attachment file and then constructing a new matrix on the basis of average values of surrounding values.

19. A non-transitory computer-readable recording medium storing a program capable of executing a method of distinguishing an abnormal e-mail, comprising the steps of:
- decoding, through the use of a computer processor, received e-mail data;
  
  analyzing the decoded e-mail data and classifying a header of the analyzed e-email data according to header fields of the header in the email data;
  
  determining whether each of the header fields is normal or abnormal;
  
  assigning one of a first value indicating a normal header field and a second value indicating an abnormal header field to the each of the header fields, according to the determination results;
  
  applying a logical inference rule to the header fields given the one of the first value and the second value, the logical inference rule being a set of conditional operations that determine the e-mail data as normal or abnormal based on the first value or the second value given to the each of the header fields; and
  
  determining that the e-mail data is normal or abnormal based on a result of the applying.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Original Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Inventors
Yoo, In Seon
Primary Examiner(s)
Gergiso, Techane

Application Number

US11/913,280
Publication Number

US 20100077480A1
Time in Patent Office

2,657 Days
Field of Search

726/24, 713/188, 709/206
US Class Current

726/24
CPC Class Codes

G06Q 10/107 Computer-aided management o...

Method for inferring maliciousness of email and detecting a virus pattern

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for inferring maliciousness of email and detecting a virus pattern

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links