System and methods for detecting malicious email transmission
First Claim
1. A method for monitoring transmission of email through a computer system, said computer system comprising a server and one or more clients having an email account, the method comprising:
- (a) gathering statistics relating to transmission behavior of prior emails relating to a first email account on said computer system;
(b) generating a profile relating to the transmission behavior of email relating to said first email account based on said statistics, wherein generating a profile comprises grouping email addresses into one or more cliques based on the prior occurrence of email addresses within the same emails in a group of mails; and
(c) determining if a violation of email security has occurred by comparing one or more select emails relating to said first email account to said profile.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.
-
Citations
11 Claims
-
1. A method for monitoring transmission of email through a computer system, said computer system comprising a server and one or more clients having an email account, the method comprising:
-
(a) gathering statistics relating to transmission behavior of prior emails relating to a first email account on said computer system; (b) generating a profile relating to the transmission behavior of email relating to said first email account based on said statistics, wherein generating a profile comprises grouping email addresses into one or more cliques based on the prior occurrence of email addresses within the same emails in a group of mails; and (c) determining if a violation of email security has occurred by comparing one or more select emails relating to said first email account to said profile. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
Specification
-
- Resources
-
Current AssigneeTrustees Of Columbia University In The City Of New York (Columbia University)
-
Original AssigneeTrustees Of Columbia University In The City Of New York (Columbia University)
-
InventorsStolfo, Salvatore J., Eskin, Eleazar, Herskop, Shlomo, Bhattacharyya, Manasi
-
Primary Examiner(s)Yalew, Fikremariam A
-
Application NumberUS13/848,529Publication NumberTime in Patent Office656 DaysField of SearchNoneUS Class Current726/22CPC Class CodesH04L 51/212 using filtering or selectiv...H04L 63/1425 Traffic logging, e.g. anoma...H04L 63/145 the attack involving the pr...
