System, method, and logic for classifying communications
First Claim
1. A computer-implemented method for execution by one or more processors, the method comprising:
- intercepting a communication of a first type at a first node of a security system;
extracting communication metadata from the communication, the communication metadata comprising a plurality of different fields, the plurality of different fields including first header fields from the communication, each of the first header fields including characters that describe a property of the communication;
determining if the communication comprises an attached file;
upon determining the communication comprises an attached file, extracting file metadata from the file, the file metadata comprising a second plurality of different fields, the second plurality of different fields including second header fields of the file different from the first header fields, each of the second header fields including characters that describe a property of the file;
determining a score for each field of extracted metadata comprising the file metadata and the communication metadata, the score for each field of the extracted metadata indicative of a likelihood that the communication is a malicious communication, the score for each field of the extracted metadata determined based on previous communications;
combining the scores for the plurality of fields of the extracted metadata to generate a combined score for the communication, the combined score based on an algorithm developed from the previous communications, the algorithm including assigning varying weights to one or more of the plurality of fields;
generating, at a first time based on the combined score, a predicted classification providing a prediction as to whether the communication is a malicious communication;
receiving, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication; and
updating the algorithm based on the indication of whether the communication is a malicious communication.
11 Assignments
0 Petitions
Accused Products
Abstract
In accordance with particular embodiments, a method includes intercepting a communication and extracting metadata associated with the communication. The extracted metadata comprises a plurality of different fields from communication metadata and file metadata. The method further includes determining a score, based on previous communications, for each field of the extracted metadata. The score is indicative of a likelihood that the communication is a malicious communication. The method additionally includes combining the scores to generate a combined score for the communication based on an algorithm developed from the previous communications. The method also includes generating, based on the combined score at a first time, a predicted classification as to whether the communication is a malicious communication. The method further includes receiving, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication and updating the algorithm based on the indication.
27 Citations
24 Claims
-
1. A computer-implemented method for execution by one or more processors, the method comprising:
-
intercepting a communication of a first type at a first node of a security system; extracting communication metadata from the communication, the communication metadata comprising a plurality of different fields, the plurality of different fields including first header fields from the communication, each of the first header fields including characters that describe a property of the communication; determining if the communication comprises an attached file; upon determining the communication comprises an attached file, extracting file metadata from the file, the file metadata comprising a second plurality of different fields, the second plurality of different fields including second header fields of the file different from the first header fields, each of the second header fields including characters that describe a property of the file; determining a score for each field of extracted metadata comprising the file metadata and the communication metadata, the score for each field of the extracted metadata indicative of a likelihood that the communication is a malicious communication, the score for each field of the extracted metadata determined based on previous communications; combining the scores for the plurality of fields of the extracted metadata to generate a combined score for the communication, the combined score based on an algorithm developed from the previous communications, the algorithm including assigning varying weights to one or more of the plurality of fields; generating, at a first time based on the combined score, a predicted classification providing a prediction as to whether the communication is a malicious communication; receiving, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication; and updating the algorithm based on the indication of whether the communication is a malicious communication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for classifying a communication, comprising:
-
an interface configured to intercept a communication of a first type at a first node of a security system; a processor coupled to the interface and configured to; extract communication metadata from the communication, the communication metadata comprising a plurality of different fields, the plurality of different fields including first header fields, each of the first header fields including characters that describe a property of the communication; determine if the communication comprises an attached file; upon determining the communication comprises an attached file, extract file metadata from the file, the file metadata comprising a second plurality of different fields, the second plurality of different fields including second header fields, different from the first header fields, each of the second header fields including characters that describe a property of the file; determine a score for each field of extracted metadata comprising the file metadata and the communication meta data, the score for each field of the extracted metadata indicative of a likelihood that the communication is a malicious communication, the score for each field of the extracted metadata determined based on previous communications; combine the scores for the plurality of fields of the extracted metadata to generate a combined score for the communication, the combined score based on an algorithm developed from the previous communications, the algorithm including assigning varying weights to one or more of the plurality of fields; and generate, at a first time based on the combined score, a predicted classification providing a prediction as to whether the communication is a malicious communication; wherein the interface is further configured to receive, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication; and the processor is further configured to update the algorithm based on the indication of whether the communication is a malicious communication. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. Non-transitory computer-readable storage media comprising instructions that when executed by a processor are operable to:
-
intercept a communication of a first type at a first node of a security system; extract communication metadata from the communication, the metadata comprising a plurality of different fields, the plurality of different fields including first header fields, each of the first header fields including characters that describe a property of the communication; determine if the communication comprises an attached file; upon determining the communication comprises an attached file, extract file metadata from the file, the file metadata comprising a second plurality of different fields, the second plurality of different fields including second header fields, different from the first header fields, each of the second header fields including characters that describe a property of the file; determine a score for each field of extracted metadata comprising the file metadata and the communication metadata, the score for each field of the extracted metadata indicative of a likelihood that the communication is a malicious communication, the score for each field of the extracted metadata determined based on previous communications; combine the scores for the plurality of fields of the extracted metadata to generate a combined score for the communication, the combined score based on an algorithm developed from the previous communications, the algorithm including assigning varying weights to one or more of the plurality of fields; generate, at a first time based on the combined score, a predicted classification providing a prediction as to whether the communication is a malicious communication; receive, at a second time subsequent to the first time, an indication of whether the communication is a malicious communication; and update the algorithm based on the indication of whether the communication is a malicious communication. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification