System and methods for detecting malicious email transmission
First Claim
1. A method for monitoring transmission of email through a computer system, said computer system comprising a server and one or more clients having an email account, the method comprising:
- (a) gathering statistics relating to transmission behavior of prior emails relating to a first email account on said computer system;
(b) generating a profile relating to the transmission behavior of email relating to said first email account based on said statistics, wherein generating a profile comprises grouping email addresses into one or more cliques based on the prior occurrence of email addresses within the same emails in a group of mails; and
(c) determining if a violation of email security has occurred by comparing one or more select emails relating to said first email account to said profile.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.
-
Citations
11 Claims
-
1. A method for monitoring transmission of email through a computer system, said computer system comprising a server and one or more clients having an email account, the method comprising:
-
(a) gathering statistics relating to transmission behavior of prior emails relating to a first email account on said computer system; (b) generating a profile relating to the transmission behavior of email relating to said first email account based on said statistics, wherein generating a profile comprises grouping email addresses into one or more cliques based on the prior occurrence of email addresses within the same emails in a group of mails; and (c) determining if a violation of email security has occurred by comparing one or more select emails relating to said first email account to said profile. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
Specification