Message classification based on likelihood of spoofing

US 8,856,239 B1
Filed: 02/10/2004
Issued: 10/07/2014
Est. Priority Date: 02/10/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method of classifying a message transmitted over a network, the method comprising:

maintaining a reputation table in memory, the reputation table including information regarding a plurality of address-domain pairs, each of the plurality of address-domain pairs indicating an IP address and an associated domain of a previously received message, the information regarding each of the plurality of address-domain pairs including a score based on one or more classification variables, the one or more classification variables decaying with time;

receiving the message transmitted over the network and addressed to a recipient; and

executing instructions stored in a non-transitory computer readable storage medium to;

determine an associated domain from which the received message is purported to be sent,identify that the determined domain appears on a whitelist associated with the recipient,determine an IP address corresponding to a device from which the received message was relayed,associate the determined domain with the IP address to create an address-domain pair for the received message;

assign a score to the received message, the score comprising a ratio of a first classification variable of the address-domain pair to a second classification variable of the address-domain pair as indicated by the reputation table, wherein the score is indicative of spam;

determine whether the domain has been spoofed based on whether a common classification appears across a plurality of IP addresses associated with the domain, wherein;

the domain is determined not to be spoofed if the received message is on the whitelist but has common spam classification appearing across the plurality of IP addresses, andthe domain is determined to be spoofed if the received message is on the whitelist but has different classifications appearing across the plurality of IP addresses, andclassify the received message based on the determination whether the domain has been spoofed, whereinthe spam score is overridden and the received message is classified as good in accordance with the whitelist, the good classification based on the determination that the domain has not been spoofed, andthe whitelist is overridden and the received message is classified as spam in accordance with the spam score assigned to the address-domain pair, the spam classification based on different classifications appearing across the plurality of IP addresses associated with the determination that the domain has been spoofed.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for classifying a message is disclosed. The technique includes determining the domain from which the message is purported to be sent, determining an IP address from which the message was relayed at some point in its transmission, associating the domain with the IP address, and classifying the message based on the associated domain and IP address.

Citations

31 Claims

1. A method of classifying a message transmitted over a network, the method comprising:
- maintaining a reputation table in memory, the reputation table including information regarding a plurality of address-domain pairs, each of the plurality of address-domain pairs indicating an IP address and an associated domain of a previously received message, the information regarding each of the plurality of address-domain pairs including a score based on one or more classification variables, the one or more classification variables decaying with time;
  
  receiving the message transmitted over the network and addressed to a recipient; and
  
  executing instructions stored in a non-transitory computer readable storage medium to;
  
  determine an associated domain from which the received message is purported to be sent,identify that the determined domain appears on a whitelist associated with the recipient,determine an IP address corresponding to a device from which the received message was relayed,associate the determined domain with the IP address to create an address-domain pair for the received message;
  
  assign a score to the received message, the score comprising a ratio of a first classification variable of the address-domain pair to a second classification variable of the address-domain pair as indicated by the reputation table, wherein the score is indicative of spam;
  
  determine whether the domain has been spoofed based on whether a common classification appears across a plurality of IP addresses associated with the domain, wherein;
  
  the domain is determined not to be spoofed if the received message is on the whitelist but has common spam classification appearing across the plurality of IP addresses, andthe domain is determined to be spoofed if the received message is on the whitelist but has different classifications appearing across the plurality of IP addresses, andclassify the received message based on the determination whether the domain has been spoofed, whereinthe spam score is overridden and the received message is classified as good in accordance with the whitelist, the good classification based on the determination that the domain has not been spoofed, andthe whitelist is overridden and the received message is classified as spam in accordance with the spam score assigned to the address-domain pair, the spam classification based on different classifications appearing across the plurality of IP addresses associated with the determination that the domain has been spoofed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The method of claim 1, wherein classifying the received message is further based on classification variables associated with another address-domain pair, the other address-domain pair having a related IP address or related domain.
  - 3. The method of claim 1, wherein classifying the received message is further based on classifications of other messages associated with the domain of the received message, the other messages further being associated with IP addresses other than the IP address of the received message.
  - 4. The method of claim 1, wherein a plurality of IP addresses is associated with the domain.
  - 5. The method of claim 1, wherein the IP address is associated with a plurality of domains.
  - 6. The method of claim 1, wherein the IP address is a boundary IP address.
  - 7. The method of claim 1, wherein the IP address is preconfigured.
  - 8. The method of claim 1, wherein the IP address is preconfigured to be one hop from a gateway IP address.
  - 9. The method of claim 1, wherein the IP address is learned.
  - 10. The method of claim 9, wherein the IP address is a boundary IP address and wherein the boundary IP address is learned by detecting a pattern in a certain number of previously received messages.
  - 11. The method of claim 1, wherein the IP address is adaptively determined.
  - 12. The method of claim 1, wherein determining the domain from which the received message is purported to be sent includes identifying a stated sender domain associated with the received message.
  - 13. The method of claim 1, wherein the domain is a domain associated with a boundary IP address.
  - 14. The method of claim 1, wherein classifying the received message is further based on consulting a black list.
  - 15. The method of claim 1, wherein classifying the received message is further based on previous classifications made to the address-domain pair.
  - 16. The method of claim 1, wherein assigning the score includes determining a spam ratio.
  - 17. The method of claim 1, wherein assigning the score includes determining a spam rate.
  - 18. The method of claim 1, wherein assigning the score includes determining an estimated instantaneous spam rate.
  - 19. The method of claim 1, wherein assigning the score includes giving one of the classification variables greater weight relative to another one of the classification variables.
  - 20. The method of claim 19, wherein giving greater weight to one of the classification variables includes giving one of the classification variables associated with user classification greater weight relative to a classification variable associated with computer classification.
  - 21. The method of claim 1, wherein assigning the score includes giving an indeterminate classification a fraction of the weight of a good classification.
  - 22. The method of claim 1, wherein the reputation table is indexed by IP address and domain.
  - 23. The method of claim 1, wherein each cell of the reputation table includes information about previous classifications.
  - 24. The method of claim 1, further comprising providing the classification of the received message based on the address-domain pair as input to another classifier.
  - 25. The method of claim 24, wherein the other classifier is a Bayesian classifier.
  - 26. The method of claim 1, wherein classifying the received message is further based on a score assigned to the IP address.
  - 27. The method of claim 26, further comprising determining the score assigned to the IP address.
  - 28. The method of claim 1, wherein classifying the received message is further based on a score assigned to the domain.
  - 29. The method of claim 28, further comprising determining the score assigned to the domain.
  - 30. The method of claim 1, further comprising determining that the domain of the received message was forged based on the score assigned to the domain.

31. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for classifying a message transmitted over a network the method comprising:
- determining an associated domain from which a received message is purported to be sent;
  
  identifying that the determined domain appears on a whitelist associated with a recipient of the received message,determining an IF address from which the received message was relayed;
  
  associating the determined domain with the IP address to create an address-domain pair for the received message;
  
  assigning a score to the received message, the score indicative of spam and comprising a ratio of a first classification variable of the address-domain pair to a second classification variable of the address-domain pair, the first classification variable and the second classification variable indicated by a reputation table including information regarding a plurality of address-domain pairs, each of the plurality of address-domain pairs indicating an IP address and an associated domain of a previously received message, the information regarding each of the plurality of address-domain pairs including a score based on one or more classification variables, the one or more classification variables decaying with time,determining whether the domain has been spoofed based on whether a common classification appears across a plurality of IP addresses associated with the domain, wherein;
  
  the domain is determined not to be spoofed if the received message is on the whitelist but has common spam classification appearing across the plurality of IP addresses, andthe domain is determined to be spoofed if the received message is on the whitelist but has different classifications appearing across the plurality of IP addresses,andclassifying the received message based on the determination whether the domain has been spoofed, wherein;
  
  the spam score is overridden and the received message is classified as good in accordance with the whitelist, the good classification based on the determination that the domain has not been spoofed, andthe whitelist is overridden and the received message is classified as spam in accordance with the spam score assigned to the address-domain pair, the spam classification based on the determination that the domain has been spoofed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malifrontier Incorporated, Quest Software, Inc.
Original Assignee
SonicWALL, Inc. (SonicWall Holdings Ltd.)
Inventors
Oliver, Jonathan J., Koblas, David A.
Primary Examiner(s)
Eskandarnia, Arvin

Application Number

US10/776,677
Time in Patent Office

3,892 Days
Field of Search

709/206, 709/205, 709/207
US Class Current

709/206
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 47/40   using split connections

H04L 49/15   Interconnection of switchin...

H04L 51/212   using filtering or selectiv...

H04L 61/4511   using domain name system [DNS]

H04L 61/4552   Lookup mechanisms between a...

H04L 63/101   Access control lists [ACL]

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

H04L 69/22   Parsing or analysis of headers

Message classification based on likelihood of spoofing

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Message classification based on likelihood of spoofing

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links