Time zero detection of infectious messages
First Claim
Patent Images
1. A method of detecting infectious messages, the method comprising:
- performing a first individual characteristic analysis of a message, wherein the first individual characteristic analysis includes comparing the individual characteristics of the message to individual characteristics of a previously received message;
generating a first probability of infection based on the first individual characteristic analysis;
generating a second probability of infection based on a second analysis of the message, the second analysis including a traffic analysis for identifying a spike in a number of previously received messages similar to the message, the previously received messages having been classified as suspicious and stored in memory;
determining an overall probability of infection based on the first probability and the second probability; and
classifying the message as infectious based on the overall probability meeting a threshold, wherein the message is classified as suspicious based on failure of the overall probability to meet the threshold.
23 Assignments
0 Petitions
Accused Products
Abstract
Detecting infectious messages comprises performing an individual characteristic analysis of a message to determine whether the message is suspicious, determining whether a similar message has been noted previously in the event that the message is determined to be suspicious, classifying the message according to its individual characteristics and its similarity to the noted message in the event that a similar message has been noted previously.
-
Citations
18 Claims
-
1. A method of detecting infectious messages, the method comprising:
-
performing a first individual characteristic analysis of a message, wherein the first individual characteristic analysis includes comparing the individual characteristics of the message to individual characteristics of a previously received message; generating a first probability of infection based on the first individual characteristic analysis; generating a second probability of infection based on a second analysis of the message, the second analysis including a traffic analysis for identifying a spike in a number of previously received messages similar to the message, the previously received messages having been classified as suspicious and stored in memory; determining an overall probability of infection based on the first probability and the second probability; and classifying the message as infectious based on the overall probability meeting a threshold, wherein the message is classified as suspicious based on failure of the overall probability to meet the threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of detecting infectious messages, the method comprising:
-
performing a first individual characteristic analysis of a message, wherein performing the first individual characteristic analysis includes comparing a signature based on the individual characteristics of the message to a signature based on individual characteristics of a previously received message; generating a first probability of infection based on the first individual characteristic analysis; generating a second probability of infection based on a second analysis of the message, the second analysis including a traffic analysis for identifying a spike in a number of previously received messages similar to the message, the previously received messages having been classified as suspicious and stored in memory; determining an overall probability of infection based on the first probability and the second probability; and classifying the message as infectious based on the overall probability meeting a threshold, wherein the message is classified as suspicious based on failure of the overall probability to meet the threshold.
-
-
13. An apparatus for detecting infections messages, the apparatus comprising:
-
a testing module stored in memory and executable by a processor to generate a first and second probability of infection, the first probability of infection based on an individual characteristic analysis of a message, wherein the individual characteristic analysis includes a comparison of a signature based on the individual characteristics of the message to a signature based on individual characteristics of a previously received message, the second analysis including a traffic analysis for identifying a spike in a number of previously received messages similar to the message, the previously received messages having been classified as suspicious and stored in memory; a processor to execute instructions stored in memory to determine an overall probability of infection based on the first probability of infection and the second probability of infection; and a message classifier stored in memory and executable to classify the message as infectious based on the overall probability meeting a threshold and to classify the message as suspicious based on failure of the overall probability to meet the threshold. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method, the method comprising:
-
performing a first individual characteristic analysis of a message, wherein the first individual characteristic analysis includes comparing the individual characteristics of the message to individual characteristics of a previously received message; generating a first probability of infection based on the first individual characteristic analysis; generating a second probability of infection based on a second analysis of the message, the second analysis including a traffic analysis for identifying a spike in a number of previously received messages similar to the message, the previously received messages having been classified as suspicious and stored in memory; determining an overall probability of infection based on the first probability and the second probability; and classifying the message as infectious based on the overall probability meeting a threshold, wherein the message is classified as suspicious based on failure of the overall probability to meet the threshold.
-
Specification