System, method, and logic for classifying communications

US 8,875,293 B2
Filed: 09/22/2011
Issued: 10/28/2014
Est. Priority Date: 09/22/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for execution by one or more processors, the method comprising:

intercepting a communication of a first type at a first node of a security system;

extracting communication metadata from the communication, the communication metadata comprising a plurality of different fields, the plurality of different fields including first header fields from the communication, each of the first header fields including characters that describe a property of the communication;

determining if the communication comprises an attached file;

upon determining the communication comprises an attached file, extracting file metadata from the file, the file metadata comprising a second plurality of different fields, the second plurality of different fields including second header fields of the file different from the first header fields, each of the second header fields including characters that describe a property of the file;

determining a score for each field of extracted metadata comprising the file metadata and the communication metadata, the score for each field of the extracted metadata indicative of a likelihood that the communication is a malicious communication, the score for each field of the extracted metadata determined based on previous communications;

combining the scores for the plurality of fields of the extracted metadata to generate a combined score for the communication, the combined score based on an algorithm developed from the previous communications, the algorithm including assigning varying weights to one or more of the plurality of fields;

generating, at a first time based on the combined score, a predicted classification providing a prediction as to whether the communication is a malicious communication;

receiving, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication; and

updating the algorithm based on the indication of whether the communication is a malicious communication.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with particular embodiments, a method includes intercepting a communication and extracting metadata associated with the communication. The extracted metadata comprises a plurality of different fields from communication metadata and file metadata. The method further includes determining a score, based on previous communications, for each field of the extracted metadata. The score is indicative of a likelihood that the communication is a malicious communication. The method additionally includes combining the scores to generate a combined score for the communication based on an algorithm developed from the previous communications. The method also includes generating, based on the combined score at a first time, a predicted classification as to whether the communication is a malicious communication. The method further includes receiving, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication and updating the algorithm based on the indication.

27 Citations

View as Search Results

24 Claims

1. A computer-implemented method for execution by one or more processors, the method comprising:
- intercepting a communication of a first type at a first node of a security system;
  
  extracting communication metadata from the communication, the communication metadata comprising a plurality of different fields, the plurality of different fields including first header fields from the communication, each of the first header fields including characters that describe a property of the communication;
  
  determining if the communication comprises an attached file;
  
  upon determining the communication comprises an attached file, extracting file metadata from the file, the file metadata comprising a second plurality of different fields, the second plurality of different fields including second header fields of the file different from the first header fields, each of the second header fields including characters that describe a property of the file;
  
  determining a score for each field of extracted metadata comprising the file metadata and the communication metadata, the score for each field of the extracted metadata indicative of a likelihood that the communication is a malicious communication, the score for each field of the extracted metadata determined based on previous communications;
  
  combining the scores for the plurality of fields of the extracted metadata to generate a combined score for the communication, the combined score based on an algorithm developed from the previous communications, the algorithm including assigning varying weights to one or more of the plurality of fields;
  
  generating, at a first time based on the combined score, a predicted classification providing a prediction as to whether the communication is a malicious communication;
  
  receiving, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication; and
  
  updating the algorithm based on the indication of whether the communication is a malicious communication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein determining the score for each field of the extracted metadata comprises:
    - maintaining a database comprising;
      
      field values associated with previously extracted metadata from the previous communications intercepted at the first node of the security system; and
      
      an indication of whether the previous communications associated with particular field values were malicious communications;
      
      adding to the database a plurality of field values for the plurality of different fields from the extracted metadata associated with the communication; and
      
      updating the database based on the indication of whether the communication is a malicious communication.
  - 3. The method of claim 1, wherein extracting communication metadata comprises extracting a sub-set of fields of the plurality of different fields of the communication metadata associated with the communication, the sub-set of fields based on fields of communication metadata most relevant to generating at the first time the predicted classification as to whether the communication is a malicious communication.
  - 4. The method of claim 1, further comprising identifying one or more extracted metadata fields and field values that are indicative of a malicious communication, the identified metadata fields and field values not previously recognized as being indicative of the first type of communication.
  - 5. The method of claim 1, wherein generating the predicted classification comprises applying Bayesian analysis to generate a predicted classification as to whether the communication is a malicious communication.
  - 6. The method of claim 1, wherein the malicious communication is an unsolicited communication comprising malware.
  - 7. The method of claim 1, wherein the malicious communication is a communication comprising malicious code.
  - 8. The method of claim 1, wherein determining the score for each field of the extracted metadata comprises determining the score for each field of the extracted metadata based on data provided by at least a second node of the security system.

9. A system for classifying a communication, comprising:
- an interface configured to intercept a communication of a first type at a first node of a security system;
  
  a processor coupled to the interface and configured to;
  
  extract communication metadata from the communication, the communication metadata comprising a plurality of different fields, the plurality of different fields including first header fields, each of the first header fields including characters that describe a property of the communication;
  
  determine if the communication comprises an attached file;
  
  upon determining the communication comprises an attached file, extract file metadata from the file, the file metadata comprising a second plurality of different fields, the second plurality of different fields including second header fields, different from the first header fields, each of the second header fields including characters that describe a property of the file;
  
  determine a score for each field of extracted metadata comprising the file metadata and the communication meta data, the score for each field of the extracted metadata indicative of a likelihood that the communication is a malicious communication, the score for each field of the extracted metadata determined based on previous communications;
  
  combine the scores for the plurality of fields of the extracted metadata to generate a combined score for the communication, the combined score based on an algorithm developed from the previous communications, the algorithm including assigning varying weights to one or more of the plurality of fields; and
  
  generate, at a first time based on the combined score, a predicted classification providing a prediction as to whether the communication is a malicious communication;
  
  wherein the interface is further configured to receive, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication; and
  
  the processor is further configured to update the algorithm based on the indication of whether the communication is a malicious communication.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the processor configured to determine the score for each field of the extracted metadata is further configured to:
    - maintain a database comprising;
      
      field values associated with previously extracted metadata from the previous communications intercepted at the first node of the security system; and
      
      an indication of whether the previous communications associated with particular field values were malicious communications;
      
      add to the database a plurality of field values for the plurality of different fields from the extracted metadata associated with the communication; and
      
      update the database based on the indication of whether the communication is a malicious communication.
  - 11. The system of claim 9, wherein the processor configured to extract communication metadata is further configured to extract a sub-set of fields of the plurality of different fields of the communication metadata associated with the communication, the sub-set of fields based on fields of communication metadata most relevant to generating at the first time the predicted classification as to whether the communication is a malicious communication.
  - 12. The system of claim 9, wherein the processor is further configured to identify one or more extracted metadata fields and field values that are indicative of a malicious communication, the identified metadata fields and field values not previously recognized as being indicative of a malicious communication.
  - 13. The system of claim 9, wherein the processor configured to generate a predicted classification is further configured to apply Bayesian analysis to generate a predicted classification as to whether the communication is a malicious communication.
  - 14. The system of claim 9, wherein the malicious communication is an unsolicited communication comprising malware.
  - 15. The system of claim 9, wherein the malicious communication is a communication comprising malicious code.
  - 16. The system of claim 9, wherein the processor configured to determine a score for each field of the extracted metadata is further configured to determine the score for each field of the extracted metadata based on data provided by at least a second node of the security system.

17. Non-transitory computer-readable storage media comprising instructions that when executed by a processor are operable to:
- intercept a communication of a first type at a first node of a security system;
  
  extract communication metadata from the communication, the metadata comprising a plurality of different fields, the plurality of different fields including first header fields, each of the first header fields including characters that describe a property of the communication;
  
  determine if the communication comprises an attached file;
  
  upon determining the communication comprises an attached file, extract file metadata from the file, the file metadata comprising a second plurality of different fields, the second plurality of different fields including second header fields, different from the first header fields, each of the second header fields including characters that describe a property of the file;
  
  determine a score for each field of extracted metadata comprising the file metadata and the communication metadata, the score for each field of the extracted metadata indicative of a likelihood that the communication is a malicious communication, the score for each field of the extracted metadata determined based on previous communications;
  
  combine the scores for the plurality of fields of the extracted metadata to generate a combined score for the communication, the combined score based on an algorithm developed from the previous communications, the algorithm including assigning varying weights to one or more of the plurality of fields;
  
  generate, at a first time based on the combined score, a predicted classification providing a prediction as to whether the communication is a malicious communication;
  
  receive, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication; and
  
  update the algorithm based on the indication of whether the communication is a malicious communication.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The media of claim 17, wherein the instructions operable to determine the score for each field of the extracted metadata are further operable to:
    - maintain a database comprising;
      
      field values associated with previously extracted metadata from the previous communications intercepted at the first node of the security system; and
      
      an indication of whether the previous communications associated with particular field values were malicious communications;
      
      add to the database a plurality of field values for the plurality of different fields from the extracted metadata associated with the communication; and
      
      update the database based on the indication of whether the communication is a malicious communication.
  - 19. The media of claim 17, wherein the instructions operable to extract communication metadata are further operable to extract a sub-set of fields of the plurality of different fields of the communication metadata associated with the communication, the sub-set of fields based on fields of communication metadata most relevant to generating at the first time the predicted classification as to whether the communication is a malicious communication.
  - 20. The media of claim 17, wherein the instructions are further operable to identify one or more extracted metadata fields and field values that are indicative of the malicious communication, the identified metadata fields and field values not previously recognized as being indicative of the malicious communication.
  - 21. The media of claim 17, wherein the instructions operable to generate a predicted classification are further operable to apply Bayesian analysis to generate a predicted classification as to whether the communication is a malicious communication.
  - 22. The media of claim 17, wherein the malicious communication is a communication comprising malware.
  - 23. The media of claim 17, wherein the malicious communication is a communication comprising malicious code.
  - 24. The media of claim 17, wherein the instructions operable to determine a score for each field of the extracted metadata are further operable to determine the score for each field of the extracted metadata based on data provided by at least a second node of the security system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
McDougal, Monty D., Sterns, William E., Jennings, Randy S.
Primary Examiner(s)
Revak, Christopher
Assistant Examiner(s)
Su, Sarah

Application Number

US13/240,567
Publication Number

US 20130081142A1
Time in Patent Office

1,132 Days
Field of Search

726/22, 726/23, 726/24, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 67/06   specially adapted for file ...

System, method, and logic for classifying communications

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and logic for classifying communications

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links